From pvoborni at redhat.com Tue Sep 1 11:27:40 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Sep 2015 13:27:40 +0200 Subject: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment In-Reply-To: <55DE813E.8010505@iisg.agh.edu.pl> References: <55DE813E.8010505@iisg.agh.edu.pl> Message-ID: <55E58BAC.7090202@redhat.com> On 08/27/2015 05:17 AM, Mateusz Ma?ek wrote: > Hi everyone, > > We're trying to adjust FreeIPA to our environment... quite a bit. Here > are some bullet points: > > 1. User home directory location is dependent on user primary group and > its value should be autogenerated on user creation. > 2. User administrator should be able to select user account type (its > primary group) in some user-friendly way from pre-determined list of > possible choices - without the need to remember GID number associated > with each account type. > 3. Passwords need to be generated automatically, so user administrator > won't be required to invent them for every single user. It should appear > on-screen after user account creation. > 4. If username was not provided, it should also be generated using some > pre-determined method. It also should be shown after creating new user. > 5. Some user accounts have an expiration date and need to be renewed > every year. User administrator should be able to extend user account > validity with single mouse-click in Web UI (with additional click for > confirmation prompt, probably). > 6. Many user account attributes are not in use in our environment - they > should be hidden in Web UI to avoid confusion (for example job title in > search view). > > And probably the most important thing: *all these things have to been > done without modifying files installed from RPM package* - we are using > ipa-server from CentOS 7 repositories and we don't want things to break > on update. > > Point 1 was easy one - we used additional script in ipalib/plugins and > user_add.register_pre_callback to hook into user account creation > process. We also use this hook to assign gidNumber based on "User class" > specified in account creation form in Web UI (point 2). > Unfortunately, I have trouble with point 4 - uid attribute is specified > in takes_params with default_from=lambda givenname, sn: givenname[0] + > sn and when hook gets called, entry is already filled with this default > value. How can I override this behavior? Is it at least possible to > distinguish (in hook code) between value generated using default_from > and value manually typed into account creation form? (It seems that > default value is also checked for duplicates before calling hook - this > still needs to be overriden, as it will prevent our usernames generator > from even getting called.) > > For points 3, 5, 6 and to limit available choices in 2, we need to plug > into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ > provided us with some basic info how to write plugins. Glad to read that the plugin support is used. Especially in this scale. I'd like to ask you for a feedback. What are the main things that would make extending IPA easier for you? I've copied > pre-minified freeipa/user.js file and turned it into a plugin. > However, I face some issues when I register my module under different > entity name instead of overriding user (I want to keep original user > module available) Just curious, why do you want to keep the original user entity object? - reg.entity.register({type: 'new-user', spec: > exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command > 'user_find' takes at most 1 argument". > It seems that check if (that.entity !== that.managed_entity) in > freeipa/search.js fails (condition is true), which causes > managed_entity_pkey_prefix function to return [""] instead of [] - > object inspection shows both entity and managed_entity refer to user > entity, but probably these are two different JS objects (and thats why > they are considered different). Am I doing something wrong or is it some > bug? There is no claim that it should work so I would say that it is a limitation of original design and unfinished refactoring than a bug. The code can be improved to support multiple entity objects for the same IPA object but I'm worried that it can break something else. Maybe simple comparison by an entity name would help. > > Best regards > Mateusz Ma?ek > > Intelligent Information Systems Group > Department of Computer Science > AGH University of Science and Technology, Krak?w, Poland > -- Petr Vobornik From yks0000 at gmail.com Tue Sep 1 12:24:00 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 1 Sep 2015 17:54:00 +0530 Subject: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable In-Reply-To: References: Message-ID: Even the users details are not coming: [root at btservice-mysql-prd-ng2-01 sssd]# id vg4381 id: vg4381: No such user [root at btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381 [root at btservice-mysql-prd-ng2-01 sssd]# *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma wrote: > Hi, > > We are getting below error while user try to do sudo, while it work for > old users. > > > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [vg4381] from [] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [klikpay.int][3][1][name=vg4381] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 1, 11, Offline > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [vg4381] from [klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x407380:0:1:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): > Creating SUDOers request for [klikpay.int][7][vg4381][1] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information > from Data Provider > Error: 1, 11, Resource temporarily unavailable > Will try to return what we have in cache > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x407380:0:1:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [vg4381] from [] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [klikpay.int][3][1][name=vg4381] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 1, 11, Offline > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [vg4381] from [klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x407380:0:1:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): > Creating SUDOers request for [klikpay.int][7][vg4381][1] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x40bc10:3:vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information > from Data Provider > Error: 1, 11, Resource temporarily unavailable > Will try to return what we have in cache > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [vg4381 at klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x407380:0:1:vg4381 at klikpay.int] > > > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Tue Sep 1 12:48:01 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 1 Sep 2015 18:18:01 +0530 Subject: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable In-Reply-To: References: Message-ID: Hi, This is fixed. On digging more found that my resolv.conf was updated and it was not able to find the domain. Fixing the resolv.conf with right nameserver, fixed the issue. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Tue, Sep 1, 2015 at 5:54 PM, Yogesh Sharma wrote: > Even the users details are not coming: > > [root at btservice-mysql-prd-ng2-01 sssd]# id vg4381 > id: vg4381: No such user > [root at btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381 > [root at btservice-mysql-prd-ng2-01 sssd]# > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma wrote: > >> Hi, >> >> We are getting below error while user try to do sudo, while it work for >> old users. >> >> >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> disconnected! >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): >> Client connected! >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Received client version [1]. >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Offered version [1]. >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting default options for [vg4381] from [] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] >> (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] >> (0x0020): Unable to get information from Data Provider >> Error: 1, 11, Offline >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> Returning info for user [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> Retrieving default options for [vg4381] from [klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x407380:0:1:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] >> (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): >> Deleting request: [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information >> from Data Provider >> Error: 1, 11, Resource temporarily unavailable >> Will try to return what we have in cache >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >> [@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): >> Deleting request: [0x407380:0:1:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting rules for [vg4381] from [] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] >> (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] >> (0x0020): Unable to get information from Data Provider >> Error: 1, 11, Offline >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> Returning info for user [vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> Retrieving rules for [vg4381] from [klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x407380:0:1:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] >> (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): >> Deleting request: [0x40bc10:3:vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information >> from Data Provider >> Error: 1, 11, Resource temporarily unavailable >> Will try to return what we have in cache >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*)))] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ >> vg4381 at klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): >> Deleting request: [0x407380:0:1:vg4381 at klikpay.int] >> >> >> >> >> *Best Regards,* >> >> *__________________________________________* >> >> *Yogesh Sharma* >> *Email: yks0000 at gmail.com | Web: www.initd.in >> * >> >> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Tue Sep 1 13:30:24 2015 From: bpk678 at gmail.com (Brendan Kearney) Date: Tue, 01 Sep 2015 09:30:24 -0400 Subject: [Freeipa-users] GSSAPI authentication for libvirt VNC In-Reply-To: <1440953389.7321.26.camel@olivarim.com> References: <1440953389.7321.26.camel@olivarim.com> Message-ID: <55E5A870.200@gmail.com> On 08/30/2015 12:49 PM, Marin Bernard wrote: > Hi, > > I followed the instructions from freeipa.org ( > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt > and VNC use GSSAPI authentication with FreeIPA. The libvirt part works > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm > unable to get a VNC connection to any guest: both virt-manager and virt > -viewer fail. The former speaks about a "closed or refused connection", > and the latter just closes. > > > On the KVM host, each VNC login attempt adds the following record to > the systemd journal: > > qemu-kvm[3202]: GSSAPI server step 1 > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems > correct to me: > > # ps -aux | grep qemu-kvm > > -vnc 0.0.0.0:0,sasl > > > QEMU may read the VNC keytab > > $ ls -l /etc/qemu/ > total 4 > -rw-------. 1 qemu root 458 30 ao?t 15:48 krb5.tab > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed) > > mech_list: gssapi > keytab: /etc/qemu/krb5.tab > > > The client seems to grab correct tickets: > > $ klist > Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 > Default principal: marin at CLOUD.OLIVARIM.COM > > Valid starting Expires Service principal > 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 > .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr > l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > KVM Host is Centos 7.2, up to date. > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. > 18.el7.centos.4 > > Client is Fedora 22, up to date. > > I tried to disable both the firewall and SELinux but it did not change > anything. > > Do you have any clues ? > > Thanks! > > Marin. > my /etc/sasl2/qemu.conf (note the different file name, may be relevant*): mech_list: gssapi keytab: /etc/qemu/qemu.keytab sasldb_path: /etc/qemu/passwd.db auxprop_plugin: sasldb my /etc/sasl2/libvirt.conf: mech_list: gssapi keytab: /etc/libvirt/libvirt.keytab my /etc/qemu/qemu.keytab file has the principal used/needed for VNC (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket /path/to/qemu.keytab" my /etc/libvirt/libvirt.keytab file has the principal used/needed for virt-manager or virsh console (libvirt/host.domain.tld at REALM). you can check your with "klist -Kket /path/to/libvirt.keytab" * the name of the file in /etc/sasl2/ is tied to the name of the application. find the sysadmin.html page for Cyrus-SASL-libs, which states: By default, the Cyrus SASL library reads it's options from /usr/lib/sasl2/App.conf (where "App" is the application defined name of the application). For instance, Sendmail reads it's configuration from "/usr/lib/sasl2/Sendmail.conf" and the sample server application included with the library looks in "/usr/lib/sasl2/sample.conf". From yks0000 at gmail.com Tue Sep 1 11:35:48 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 1 Sep 2015 17:05:48 +0530 Subject: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable Message-ID: Hi, We are getting below error while user try to do sudo, while it work for old users. (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vg4381' matched without domain, user is vg4381 (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vg4381' matched without domain, user is vg4381 (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [vg4381] from [] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 1, 11, Offline (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [vg4381] from [klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x407380:0:1:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information from Data Provider Error: 1, 11, Resource temporarily unavailable Will try to return what we have in cache (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x407380:0:1:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vg4381' matched without domain, user is vg4381 (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vg4381' matched without domain, user is vg4381 (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [vg4381] from [] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 1, 11, Offline (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [vg4381] from [klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x407380:0:1:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x407380:0:1:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40bc10:3:vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information from Data Provider Error: 1, 11, Resource temporarily unavailable Will try to return what we have in cache (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*)))] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [vg4381 at klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x407380:0:1:vg4381 at klikpay.int] *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 1 14:10:35 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 1 Sep 2015 08:10:35 -0600 Subject: [Freeipa-users] GSSAPI authentication for libvirt VNC In-Reply-To: <55E5A870.200@gmail.com> References: <1440953389.7321.26.camel@olivarim.com> <55E5A870.200@gmail.com> Message-ID: <55E5B1DB.4000804@redhat.com> On 09/01/2015 07:30 AM, Brendan Kearney wrote: > On 08/30/2015 12:49 PM, Marin Bernard wrote: >> Hi, >> >> I followed the instructions from freeipa.org ( >> https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt >> and VNC use GSSAPI authentication with FreeIPA. The libvirt part works >> fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm >> unable to get a VNC connection to any guest: both virt-manager and virt >> -viewer fail. The former speaks about a "closed or refused connection", >> and the latter just closes. >> >> >> On the KVM host, each VNC login attempt adds the following record to >> the systemd journal: >> >> qemu-kvm[3202]: GSSAPI server step 1 >> >> >> On the host, libvirt starts qemu-kvm with a SASL VNC, which seems >> correct to me: >> >> # ps -aux | grep qemu-kvm >> >> -vnc 0.0.0.0:0,sasl >> >> >> QEMU may read the VNC keytab >> >> $ ls -l /etc/qemu/ >> total 4 >> -rw-------. 1 qemu root 458 30 ao?t 15:48 krb5.tab >> >> >> Contents of /etc/sasl2/qemu-kvm.conf (comments removed) >> >> mech_list: gssapi >> keytab: /etc/qemu/krb5.tab >> >> >> The client seems to grab correct tickets: >> >> $ klist >> Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 >> Default principal: marin at CLOUD.OLIVARIM.COM >> >> Valid starting Expires Service principal >> 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 >> .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM >> 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr >> l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM >> >> KVM Host is Centos 7.2, up to date. >> >> FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. >> 18.el7.centos.4 >> >> Client is Fedora 22, up to date. >> >> I tried to disable both the firewall and SELinux but it did not change >> anything. >> >> Do you have any clues ? >> >> Thanks! >> >> Marin. >> > my /etc/sasl2/qemu.conf (note the different file name, may be relevant*): > > mech_list: gssapi > keytab: /etc/qemu/qemu.keytab > sasldb_path: /etc/qemu/passwd.db > auxprop_plugin: sasldb > > my /etc/sasl2/libvirt.conf: > > mech_list: gssapi > keytab: /etc/libvirt/libvirt.keytab > > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC > (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket > /path/to/qemu.keytab" > > my /etc/libvirt/libvirt.keytab file has the principal used/needed for > virt-manager or virsh console (libvirt/host.domain.tld at REALM). you can > check your with "klist -Kket /path/to/libvirt.keytab" > > * the name of the file in /etc/sasl2/ is tied to the name of the > application. find the sysadmin.html page for Cyrus-SASL-libs, which > states: > > By default, the Cyrus SASL library reads it's options from > /usr/lib/sasl2/App.conf (where "App" is the application defined name > of the application). For instance, Sendmail reads it's configuration > from "/usr/lib/sasl2/Sendmail.conf" and the sample server application > included with the library looks in "/usr/lib/sasl2/sample.conf". It is the appname argument of sasl_server_init(3): sasl_server_init(3) SASL man pages sasl_server_init(3) NAME sasl_server_init - SASL server authentication initialization SYNOPSIS #include int sasl_server_init(const sasl_callback_t *callbacks, const char *appname); DESCRIPTION sasl_server_init() initializes SASL. It must be called before any calls to sasl_server_start, and only once per process. This call initializes all SASL mechanism drivers (e.g. authentication mechanisms). These are usually found in the /usr/lib/sasl2 directory but the directory may be overridden with the SASL_PATH environment variable (or at compile time). callbacks specifies the base callbacks for all client connections. See the sasl_callbacks man page for more information. appname is the name of the application. It is used for where to find the default configuration file. From aebruno2 at buffalo.edu Tue Sep 1 14:39:57 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Tue, 1 Sep 2015 10:39:57 -0400 Subject: [Freeipa-users] replicas unresponsive with increasing file descriptors Message-ID: <20150901143957.GA8868@dead.ccr.buffalo.edu> A few months ago we had a replica failure where the system ran out of file descriptors and the slapd database was corrupted: https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html We now monitor file descriptor counts on our replicas and last night we had 2 of our 3 replicas fail and become completely unresponsive. Trying to kinit on the replica resulted in: [user at ipa-master]$ kinit kinit: Generic error (see e-text) while getting initial credentials Snippet from the /var/log/dirsrv/slapd-[domain]/errors: [31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental protocol: event backoff_timer_expired should not occur in state start_backoff [31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. The access logs were filling up with: [31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 10.106.14.29 to 10.113.14.30 [31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 10.104.9.137 to 10.113.14.30 [31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 10.104.16.19 to 10.113.14.30 [31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 10.111.11.30 to 10.113.14.30 [31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 10.113.27.115 to 10.113.14.30 [31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 10.111.8.116 to 10.113.14.30 [31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 10.113.25.40 to 10.113.14.30 [31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 10.106.14.27 to 10.113.14.30 [31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 10.111.10.141 to 10.113.14.30 [31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 10.104.14.27 to 10.113.14.30 [31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 10.106.13.132 to 10.113.14.30 [31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 10.113.25.11 to 10.113.14.30 [31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 10.104.15.11 to 10.113.14.30 [31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 10.104.7.136 to 10.113.14.30 [31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 10.113.24.23 to 10.113.14.30 [31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 10.106.12.105 to 10.113.14.30 [31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 10.104.16.41 to 10.113.14.30 [31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 10.104.16.4 to 10.113.14.30 [31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 10.111.8.12 to 10.113.14.30 [31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 10.111.8.17 to 10.113.14.30 .... Seems like clients were connecting to the replicas but file descriptors were not getting released. Our monitoring showed increasing file descriptor counts on both replicas (the FD counts are normally ~600): DateTime | Host | File Descriptor Count -------------------------------------------------------------------- Mon, 31 Aug 2015 17:28:28 | srv-m14-32 | 1394 Mon, 31 Aug 2015 17:28:40 | srv-m14-30 | 1192 Mon, 31 Aug 2015 18:28:28 | srv-m14-32 | 2478 Mon, 31 Aug 2015 18:28:40 | srv-m14-30 | 2212 Mon, 31 Aug 2015 19:28:28 | srv-m14-32 | 3305 Mon, 31 Aug 2015 19:28:40 | srv-m14-30 | 3058 .... We can confirm this via logconv.pl: Start of Logs: 31/Aug/2015:14:55:01 End of Logs: 31/Aug/2015:16:42:37 ... FDs Taken: 3140 FDs Returned: 3160 Highest FD Taken: 603 Start of Logs: 31/Aug/2015:16:42:37 End of Logs: 31/Aug/2015:20:18:41 .. FDs Taken: 4562 FDs Returned: 1336 Highest FD Taken: 3755 We suspect something happened around 31/Aug/2015:17:13:00 that caused both replicas to become unresponsive and leak file descriptors. Luckily we caught this before the system ran out of file descriptors. We logged onto each replica and restarted ipa via: # systemctl restart ipa This produced the some errors in the logs: [31/Aug/2015:20:11:02 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3623 max work q stack size 496 [31/Aug/2015:20:11:02 -0400] - slapd shutting down - waiting for 30 threads to terminate ... [31/Aug/2015:20:12:34 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [31/Aug/2015:20:12:34 -0400] - WARNING -- Minimum cache size is 512000 -- rounding up [31/Aug/2015:20:12:34 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 400465920B; We recommend to increase the entry cache size nsslapd-cachememsize. [31/Aug/2015:20:12:34 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [31/Aug/2015:20:12:35 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cbls,dc=ccr,dc=buffalo,dc=edu .... [31/Aug/2015:20:12:39 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [31/Aug/2015:20:12:39 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 [31/Aug/2015:20:13:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/0cccfa05-2cb911e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) .... Followed by almost 1M lines of... [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511742 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511743 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511744 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511745 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511746 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511747 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511748 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511749 (rc: 32) [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511750 (rc: 32) ... The delete_changerecord id went from 511742 to 1471562 in increasing order. Are these normal or a sign of something more serious? After we restarted ipa, both replicas eventually came back up and appear to be operating as normal. Any ideas what could have caused this and where to look for more info? We'd obviously like to prevent this from happening again as we suspect this is what caused our replica failure back in June as well. Should we be concerned about these errors: replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated How do we check if DB RUV needs to be updated? running: ipa-server-4.1.0-18, 389-ds-base-1.3.3.1-16, CentOS 7.1.1503 Thanks in advance for any help! Best, --Andrew From lkrispen at redhat.com Tue Sep 1 15:03:10 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 01 Sep 2015 17:03:10 +0200 Subject: [Freeipa-users] replicas unresponsive with increasing file descriptors In-Reply-To: <20150901143957.GA8868@dead.ccr.buffalo.edu> References: <20150901143957.GA8868@dead.ccr.buffalo.edu> Message-ID: <55E5BE2E.9050700@redhat.com> On 09/01/2015 04:39 PM, Andrew E. Bruno wrote: > A few months ago we had a replica failure where the system ran out of file > descriptors and the slapd database was corrupted: > > https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html > > We now monitor file descriptor counts on our replicas and last night we > had 2 of our 3 replicas fail and become completely unresponsive. Trying > to kinit on the replica resulted in: > > [user at ipa-master]$ kinit > kinit: Generic error (see e-text) while getting initial credentials > > > Snippet from the /var/log/dirsrv/slapd-[domain]/errors: > > [31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) > [31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental protocol: event backoff_timer_expired should not occur in state start_backoff > [31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > [31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > > The access logs were filling up with: > > [31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 10.106.14.29 to 10.113.14.30 > [31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 10.104.9.137 to 10.113.14.30 > [31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 10.104.16.19 to 10.113.14.30 > [31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 10.111.11.30 to 10.113.14.30 > [31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 10.113.27.115 to 10.113.14.30 > [31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 10.111.8.116 to 10.113.14.30 > [31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 10.113.25.40 to 10.113.14.30 > [31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 10.106.14.27 to 10.113.14.30 > [31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 10.111.10.141 to 10.113.14.30 > [31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 10.104.14.27 to 10.113.14.30 > [31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 10.106.13.132 to 10.113.14.30 > [31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 10.113.25.11 to 10.113.14.30 > [31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 10.104.15.11 to 10.113.14.30 > [31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 10.104.7.136 to 10.113.14.30 > [31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 10.113.24.23 to 10.113.14.30 > [31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 10.106.12.105 to 10.113.14.30 > [31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 10.104.16.41 to 10.113.14.30 > [31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 10.104.16.4 to 10.113.14.30 > [31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 10.111.8.12 to 10.113.14.30 > [31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 10.111.8.17 to 10.113.14.30 > .... > > > Seems like clients were connecting to the replicas but file descriptors were > not getting released. Our monitoring showed increasing file descriptor counts > on both replicas (the FD counts are normally ~600): > > DateTime | Host | File Descriptor Count > -------------------------------------------------------------------- > Mon, 31 Aug 2015 17:28:28 | srv-m14-32 | 1394 > Mon, 31 Aug 2015 17:28:40 | srv-m14-30 | 1192 > Mon, 31 Aug 2015 18:28:28 | srv-m14-32 | 2478 > Mon, 31 Aug 2015 18:28:40 | srv-m14-30 | 2212 > Mon, 31 Aug 2015 19:28:28 | srv-m14-32 | 3305 > Mon, 31 Aug 2015 19:28:40 | srv-m14-30 | 3058 > .... > > We can confirm this via logconv.pl: > > > Start of Logs: 31/Aug/2015:14:55:01 > End of Logs: 31/Aug/2015:16:42:37 > ... > FDs Taken: 3140 > FDs Returned: 3160 > Highest FD Taken: 603 > > > Start of Logs: 31/Aug/2015:16:42:37 > End of Logs: 31/Aug/2015:20:18:41 > .. > FDs Taken: 4562 > FDs Returned: 1336 > Highest FD Taken: 3755 > > > We suspect something happened around 31/Aug/2015:17:13:00 that caused both > replicas to become unresponsive and leak file descriptors. Luckily we caught > this before the system ran out of file descriptors. We logged onto each replica > and restarted ipa via: > > # systemctl restart ipa > > This produced the some errors in the logs: > > [31/Aug/2015:20:11:02 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3623 max work q stack size 496 > [31/Aug/2015:20:11:02 -0400] - slapd shutting down - waiting for 30 threads to terminate > ... > [31/Aug/2015:20:12:34 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up > [31/Aug/2015:20:12:34 -0400] - WARNING -- Minimum cache size is 512000 -- rounding up > [31/Aug/2015:20:12:34 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 400465920B; We recommend to increase the entry cache size nsslapd-cachememsize. > [31/Aug/2015:20:12:34 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > [31/Aug/2015:20:12:35 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cbls,dc=ccr,dc=buffalo,dc=edu > .... > [31/Aug/2015:20:12:39 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > [31/Aug/2015:20:12:39 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 > [31/Aug/2015:20:13:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/0cccfa05-2cb911e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 > [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated > [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > .... > > Followed by almost 1M lines of... > > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511742 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511743 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511744 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511745 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511746 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511747 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511748 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511749 (rc: 32) > [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511750 (rc: 32) > ... > > > The delete_changerecord id went from 511742 to 1471562 in increasing order. Are > these normal or a sign of something more serious? > > After we restarted ipa, both replicas eventually came back up and appear to be > operating as normal. > > Any ideas what could have caused this and where to look for more info? We'd > obviously like to prevent this from happening again as we suspect this is what > caused our replica failure back in June as well. If the server is not responsive and the incoming connections pile up consuming all the file descriptors, this could be caused by a deadlock in the server or by some clients not reading responses and blocking all other threads from progressing. If you run into this situation again, could you try to get a pstack from the process ? About the changlog messages, it looks like after a crash, the information where changelog trimming should start is lost and it starts at the wrong number and can no longer find the records in the retro changelog and logs an error for each changenumber attempted. We should investigate this and try to prevent it or at least not pollute the log About the "Check if DB RUV ....", it is misleading, the server is doing it, the message should better read "Checking if ..." > > Should we be concerned about these errors: > > replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated > replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > > How do we check if DB RUV needs to be updated? > > running: ipa-server-4.1.0-18, 389-ds-base-1.3.3.1-16, CentOS 7.1.1503 > > Thanks in advance for any help! > > Best, > > --Andrew > From aebruno2 at buffalo.edu Tue Sep 1 15:20:53 2015 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Tue, 1 Sep 2015 11:20:53 -0400 Subject: [Freeipa-users] replicas unresponsive with increasing file descriptors In-Reply-To: <55E5BE2E.9050700@redhat.com> References: <20150901143957.GA8868@dead.ccr.buffalo.edu> <55E5BE2E.9050700@redhat.com> Message-ID: <20150901152053.GD8868@dead.ccr.buffalo.edu> On Tue, Sep 01, 2015 at 05:03:10PM +0200, Ludwig Krispenz wrote: > > On 09/01/2015 04:39 PM, Andrew E. Bruno wrote: > >A few months ago we had a replica failure where the system ran out of file > >descriptors and the slapd database was corrupted: > > > >https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html > > > >We now monitor file descriptor counts on our replicas and last night we > >had 2 of our 3 replicas fail and become completely unresponsive. Trying > >to kinit on the replica resulted in: > > > >[user at ipa-master]$ kinit > >kinit: Generic error (see e-text) while getting initial credentials > > > > > >Snippet from the /var/log/dirsrv/slapd-[domain]/errors: > > > >[31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) > >[31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental protocol: event backoff_timer_expired should not occur in state start_backoff > >[31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > >[31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. > > > >The access logs were filling up with: > > > >[31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 10.106.14.29 to 10.113.14.30 > >[31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 10.104.9.137 to 10.113.14.30 > >[31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 10.104.16.19 to 10.113.14.30 > >[31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 10.111.11.30 to 10.113.14.30 > >[31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 10.113.27.115 to 10.113.14.30 > >[31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 10.111.8.116 to 10.113.14.30 > >[31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 10.113.25.40 to 10.113.14.30 > >[31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 10.106.14.27 to 10.113.14.30 > >[31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 10.111.10.141 to 10.113.14.30 > >[31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 10.104.14.27 to 10.113.14.30 > >[31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 10.106.13.132 to 10.113.14.30 > >[31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 10.113.25.11 to 10.113.14.30 > >[31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 10.104.15.11 to 10.113.14.30 > >[31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 10.104.7.136 to 10.113.14.30 > >[31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 10.113.24.23 to 10.113.14.30 > >[31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 10.106.12.105 to 10.113.14.30 > >[31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 10.104.16.41 to 10.113.14.30 > >[31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 10.104.16.4 to 10.113.14.30 > >[31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 10.111.8.12 to 10.113.14.30 > >[31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 10.111.8.17 to 10.113.14.30 > >.... > > > > > >Seems like clients were connecting to the replicas but file descriptors were > >not getting released. Our monitoring showed increasing file descriptor counts > >on both replicas (the FD counts are normally ~600): > > > >DateTime | Host | File Descriptor Count > >-------------------------------------------------------------------- > >Mon, 31 Aug 2015 17:28:28 | srv-m14-32 | 1394 > >Mon, 31 Aug 2015 17:28:40 | srv-m14-30 | 1192 > >Mon, 31 Aug 2015 18:28:28 | srv-m14-32 | 2478 > >Mon, 31 Aug 2015 18:28:40 | srv-m14-30 | 2212 > >Mon, 31 Aug 2015 19:28:28 | srv-m14-32 | 3305 > >Mon, 31 Aug 2015 19:28:40 | srv-m14-30 | 3058 > >.... > > > >We can confirm this via logconv.pl: > > > > > >Start of Logs: 31/Aug/2015:14:55:01 > >End of Logs: 31/Aug/2015:16:42:37 > >... > >FDs Taken: 3140 > >FDs Returned: 3160 > >Highest FD Taken: 603 > > > > > >Start of Logs: 31/Aug/2015:16:42:37 > >End of Logs: 31/Aug/2015:20:18:41 > >.. > >FDs Taken: 4562 > >FDs Returned: 1336 > >Highest FD Taken: 3755 > > > > > >We suspect something happened around 31/Aug/2015:17:13:00 that caused both > >replicas to become unresponsive and leak file descriptors. Luckily we caught > >this before the system ran out of file descriptors. We logged onto each replica > >and restarted ipa via: > > > > # systemctl restart ipa > > > >This produced the some errors in the logs: > > > >[31/Aug/2015:20:11:02 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3623 max work q stack size 496 > >[31/Aug/2015:20:11:02 -0400] - slapd shutting down - waiting for 30 threads to terminate > >... > >[31/Aug/2015:20:12:34 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up > >[31/Aug/2015:20:12:34 -0400] - WARNING -- Minimum cache size is 512000 -- rounding up > >[31/Aug/2015:20:12:34 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 400465920B; We recommend to increase the entry cache size nsslapd-cachememsize. > >[31/Aug/2015:20:12:34 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > >[31/Aug/2015:20:12:35 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cbls,dc=ccr,dc=buffalo,dc=edu > >.... > >[31/Aug/2015:20:12:39 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > >[31/Aug/2015:20:12:39 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 > >[31/Aug/2015:20:13:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/0cccfa05-2cb911e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 > >[31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated > >[31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > >[31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > >[31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > >.... > > > >Followed by almost 1M lines of... > > > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511742 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511743 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511744 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511745 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511746 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511747 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511748 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511749 (rc: 32) > >[31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511750 (rc: 32) > >... > > > > > >The delete_changerecord id went from 511742 to 1471562 in increasing order. Are > >these normal or a sign of something more serious? > > > >After we restarted ipa, both replicas eventually came back up and appear to be > >operating as normal. > > > >Any ideas what could have caused this and where to look for more info? We'd > >obviously like to prevent this from happening again as we suspect this is what > >caused our replica failure back in June as well. > If the server is not responsive and the incoming connections pile up > consuming all the file descriptors, this could be caused by a deadlock in > the server or by some clients not reading responses and blocking all other > threads from progressing. > If you run into this situation again, could you try to get a pstack from the > process ? Yes, we'll be sure to grab a pstack next time. Could this possibly be related to replication? These errors happened right around the time the servers crashed: - Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica - Incremental protocol: event backoff_timer_expired should not occur in state start_backoff > > About the changlog messages, it looks like after a crash, the information > where changelog trimming should start is lost and it starts at the wrong > number and can no longer find the records in the retro changelog and logs an > error for each changenumber attempted. > We should investigate this and try to prevent it or at least not pollute the > log > > About the "Check if DB RUV ....", it is misleading, the server is doing it, > the message should better read "Checking if ..." Great, thanks for the info. > > > >Should we be concerned about these errors: > > > > replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated > > replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated > > > >How do we check if DB RUV needs to be updated? > > > >running: ipa-server-4.1.0-18, 389-ds-base-1.3.3.1-16, CentOS 7.1.1503 > > > >Thanks in advance for any help! > > > >Best, > > > >--Andrew > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > From rmeggins at redhat.com Tue Sep 1 15:45:22 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 1 Sep 2015 09:45:22 -0600 Subject: [Freeipa-users] replicas unresponsive with increasing file descriptors In-Reply-To: <20150901152053.GD8868@dead.ccr.buffalo.edu> References: <20150901143957.GA8868@dead.ccr.buffalo.edu> <55E5BE2E.9050700@redhat.com> <20150901152053.GD8868@dead.ccr.buffalo.edu> Message-ID: <55E5C812.4040308@redhat.com> On 09/01/2015 09:20 AM, Andrew E. Bruno wrote: > On Tue, Sep 01, 2015 at 05:03:10PM +0200, Ludwig Krispenz wrote: >> On 09/01/2015 04:39 PM, Andrew E. Bruno wrote: >>> A few months ago we had a replica failure where the system ran out of file >>> descriptors and the slapd database was corrupted: >>> >>> https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html >>> >>> We now monitor file descriptor counts on our replicas and last night we >>> had 2 of our 3 replicas fail and become completely unresponsive. Trying >>> to kinit on the replica resulted in: >>> >>> [user at ipa-master]$ kinit >>> kinit: Generic error (see e-text) while getting initial credentials >>> >>> >>> Snippet from the /var/log/dirsrv/slapd-[domain]/errors: >>> >>> [31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) >>> [31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental protocol: event backoff_timer_expired should not occur in state start_backoff >>> [31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> [31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. >>> >>> The access logs were filling up with: >>> >>> [31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 10.106.14.29 to 10.113.14.30 >>> [31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 10.104.9.137 to 10.113.14.30 >>> [31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 10.104.16.19 to 10.113.14.30 >>> [31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 10.111.11.30 to 10.113.14.30 >>> [31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 10.113.27.115 to 10.113.14.30 >>> [31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 10.111.8.116 to 10.113.14.30 >>> [31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 10.113.25.40 to 10.113.14.30 >>> [31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 10.106.14.27 to 10.113.14.30 >>> [31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 10.111.10.141 to 10.113.14.30 >>> [31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 10.104.14.27 to 10.113.14.30 >>> [31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 10.106.13.132 to 10.113.14.30 >>> [31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 10.113.25.11 to 10.113.14.30 >>> [31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 10.104.15.11 to 10.113.14.30 >>> [31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 10.104.7.136 to 10.113.14.30 >>> [31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 10.113.24.23 to 10.113.14.30 >>> [31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 10.106.12.105 to 10.113.14.30 >>> [31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 10.104.16.41 to 10.113.14.30 >>> [31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 10.104.16.4 to 10.113.14.30 >>> [31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 10.111.8.12 to 10.113.14.30 >>> [31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 10.111.8.17 to 10.113.14.30 >>> .... >>> >>> >>> Seems like clients were connecting to the replicas but file descriptors were >>> not getting released. Our monitoring showed increasing file descriptor counts >>> on both replicas (the FD counts are normally ~600): >>> >>> DateTime | Host | File Descriptor Count >>> -------------------------------------------------------------------- >>> Mon, 31 Aug 2015 17:28:28 | srv-m14-32 | 1394 >>> Mon, 31 Aug 2015 17:28:40 | srv-m14-30 | 1192 >>> Mon, 31 Aug 2015 18:28:28 | srv-m14-32 | 2478 >>> Mon, 31 Aug 2015 18:28:40 | srv-m14-30 | 2212 >>> Mon, 31 Aug 2015 19:28:28 | srv-m14-32 | 3305 >>> Mon, 31 Aug 2015 19:28:40 | srv-m14-30 | 3058 >>> .... >>> >>> We can confirm this via logconv.pl: >>> >>> >>> Start of Logs: 31/Aug/2015:14:55:01 >>> End of Logs: 31/Aug/2015:16:42:37 >>> ... >>> FDs Taken: 3140 >>> FDs Returned: 3160 >>> Highest FD Taken: 603 >>> >>> >>> Start of Logs: 31/Aug/2015:16:42:37 >>> End of Logs: 31/Aug/2015:20:18:41 >>> .. >>> FDs Taken: 4562 >>> FDs Returned: 1336 >>> Highest FD Taken: 3755 >>> >>> >>> We suspect something happened around 31/Aug/2015:17:13:00 that caused both >>> replicas to become unresponsive and leak file descriptors. Luckily we caught >>> this before the system ran out of file descriptors. We logged onto each replica >>> and restarted ipa via: >>> >>> # systemctl restart ipa >>> >>> This produced the some errors in the logs: >>> >>> [31/Aug/2015:20:11:02 -0400] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 3623 max work q stack size 496 >>> [31/Aug/2015:20:11:02 -0400] - slapd shutting down - waiting for 30 threads to terminate >>> ... >>> [31/Aug/2015:20:12:34 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up >>> [31/Aug/2015:20:12:34 -0400] - WARNING -- Minimum cache size is 512000 -- rounding up >>> [31/Aug/2015:20:12:34 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 400465920B; We recommend to increase the entry cache size nsslapd-cachememsize. >>> [31/Aug/2015:20:12:34 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>> [31/Aug/2015:20:12:35 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>> .... >>> [31/Aug/2015:20:12:39 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>> [31/Aug/2015:20:12:39 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 >>> [31/Aug/2015:20:13:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/0cccfa05-2cb911e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 >>> [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated >>> [31/Aug/2015:20:13:11 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated >>> [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) >>> [31/Aug/2015:20:13:11 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-m14-32.cbls.ccr.buffalo.edu at CBLS.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) >>> .... >>> >>> Followed by almost 1M lines of... >>> >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511742 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511743 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511744 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511745 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511746 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511747 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511748 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511749 (rc: 32) >>> [31/Aug/2015:20:13:11 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 511750 (rc: 32) >>> ... >>> >>> >>> The delete_changerecord id went from 511742 to 1471562 in increasing order. Are >>> these normal or a sign of something more serious? >>> >>> After we restarted ipa, both replicas eventually came back up and appear to be >>> operating as normal. >>> >>> Any ideas what could have caused this and where to look for more info? We'd >>> obviously like to prevent this from happening again as we suspect this is what >>> caused our replica failure back in June as well. >> If the server is not responsive and the incoming connections pile up >> consuming all the file descriptors, this could be caused by a deadlock in >> the server or by some clients not reading responses and blocking all other >> threads from progressing. >> If you run into this situation again, could you try to get a pstack from the >> process ? > Yes, we'll be sure to grab a pstack next time. Could this possibly be > related to replication? These errors happened right around the time the > servers crashed: > > - Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica This means the replica (the consumer of this supplier) was already "in trouble" and could not respond. That is, the server was probably already in trouble, and probably not due to replication. > - Incremental protocol: event backoff_timer_expired should not occur in state start_backoff This is benign. > >> About the changlog messages, it looks like after a crash, the information >> where changelog trimming should start is lost and it starts at the wrong >> number and can no longer find the records in the retro changelog and logs an >> error for each changenumber attempted. >> We should investigate this and try to prevent it or at least not pollute the >> log >> >> About the "Check if DB RUV ....", it is misleading, the server is doing it, >> the message should better read "Checking if ..." > Great, thanks for the info. > > >>> Should we be concerned about these errors: >>> >>> replica_check_for_data_reload: Warning: disordely shutdown for replica dc=cbls,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated >>> replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated >>> >>> How do we check if DB RUV needs to be updated? >>> >>> running: ipa-server-4.1.0-18, 389-ds-base-1.3.3.1-16, CentOS 7.1.1503 >>> >>> Thanks in advance for any help! >>> >>> Best, >>> >>> --Andrew >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> From janellenicole80 at gmail.com Tue Sep 1 16:17:11 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 1 Sep 2015 09:17:11 -0700 Subject: [Freeipa-users] stubborn old replicas In-Reply-To: References: <55DDC0D9.5050406@gmail.com> <1440603108.8138.83.camel@willson.usersys.redhat.com> <55DEB75C.3050108@redhat.com> <55DEBF3A.2040509@redhat.com> <55DEC4CE.3040701@redhat.com> <55DF1E34.1030202@gmail.com> Message-ID: <55E5CF87.9030701@gmail.com> On 8/28/15 8:17 AM, Vaclav Adamec wrote: > You could try this (RH recommended way). It works for me better than > cleanallruv.pl as this sometimes leads to > ldap freeze) > > unable to decode: {replica 30} 5548fa200000001e0000 > 5548fa200000001e0000 unable to decode: {replica 26} > 5548a9a80000001a0000 5548a9a80000001a0000 > > for all of them, on-by-one: > > ldapmodify -x -D "cn=directory manager" -w XXXXXXX dn: > cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > changetype: modify replace: nsds5task nsds5task: CLEANRUV30 + > > > On Fri, Aug 28, 2015 at 4:55 PM, Guillermo Fuentes > > wrote: > > Hi Janelle, > > Using the cleanallruv.pl tool was the only > way I was able to get ride of the "unable to decode: {replica x}" > entries. > > This is how I used it, cleaning a replica ID at a time: > # For replica id: 40 > cleanallruv.pl -v -D "cn=directory > manager" -w - -b 'dc=example,dc=com' -r 40 > > Note that the "-w -"? will make the tool prompt you for the > directory manager password. > > Hope this helps, > Guillermo? > > > On Thu, Aug 27, 2015 at 10:27 AM, Janelle > > wrote: > > On 8/27/15 1:05 AM, thierry bordaz wrote: >> On 08/27/2015 09:41 AM, Ludwig Krispenz wrote: >>> >>> On 08/27/2015 09:08 AM, Martin Kosek wrote: >>>> On 08/26/2015 05:31 PM, Simo Sorce wrote: >>>>> On Wed, 2015-08-26 at 06:36 -0700, Janelle wrote: >>>>>> Hello all, >>>>>> >>>>>> My biggest problem is losing replicas and then trying to >>>>>> delete the >>>>>> entries and rebuild them. Here is a perfect example, I >>>>>> simply can't get >>>>>> rid of these (see below). I have tried (of course after >>>>>> the ORIGINAL >>>>>> "ipa-replica-manage del hostname --force --clean": >>>>>> >>>>>> ipa-replica-manage clean-ruv 25 >>>>>> >>>>>> ldapmodify... with: >>>>>> dn: cn=clean 25, cn=cleanallruv, cn=tasks, cn=config >>>>>> objectclass: extensibleObject >>>>>> replica-base-dn: dc=example,dc=com >>>>>> replica-id: 25 >>>>>> cn: clean 25 >>>>>> >>>>>> And yet nothing works. Any suggestions? This is perhaps >>>>>> the most >>>>>> frustrating part about maintaining IPA. >>>>>> >>>>>> ~J >>>>>> >>>>>> unable to decode: {replica 12} 5588dc2e0000000c0000 >>>>>> 559f3de60004000c0000 >>>>>> unable to decode: {replica 14} 5587aa8d0000000e0000 >>>>>> 5587aa8d0003000e0000 >>>>>> unable to decode: {replica 16} 5588f58f000000100000 >>>>>> 55bb7b08000500100000 >>>>>> unable to decode: {replica 25} 55a4887b000000190000 >>>>>> 55a49242000400190000 >>>>>> unable to decode: {replica 29} 55d199a50001001d0000 >>>>>> 55d199a50001001d0000 >>>>>> unable to decode: {replica 3} 5587c5c3000000030000 >>>>>> 55b8a049000100030000 >>>>>> unable to decode: {replica 5} 55cc82ab041d00050000 >>>>>> 55cc82ab041d00050000 >>>>> Have you tried restarting DS before trying to clean the ruv ? >>>>> >>>>> I run in a similar problem in a test install recently, and >>>>> I got better >>>>> results that way. The bug is known to the DS people and >>>>> they are working >>>>> to get out patches that fix the root issue. >>>>> >>>>> Simo. >>>> CCing DS folks. Wasn't there a recent DS fix that was >>>> supposed to improve the >>>> RUV situation? >>>> >>>> Looking at 389 DS Trac, I see some interesting RUV fixes in >>>> 1.3.4.x releases: >>>> >>>> https://fedorahosted.org/389/query?summary=~RUV&status=closed&order=milestone&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone >>>> >>>> >>>> >>>> I see that 389-ds-base-1.3.4.3 is already in Fedora 22+, >>>> does the RUV issue >>>> happen there? >>> it should not, and I think Thierry verified the fix. >>> The problem we resolved and which we think is the core of >>> the corrupted RUV was that the cleanallruv task did only >>> purge the RUV, but dit not purge the changelog. If >>> cleanallruv was run and the server had a disorderly shutdown >>> (crash or abort when shutdown was hanging) then at restart >>> the changelog RUV was rebuilt from the data in the changelog >>> and if it contained a csn from cleaned RIDs this was added >>> to the RUV (but the reference to the server was lost and so >>> the url part is missing from this RUV. >>> The fix now does remove all references to the cleaned RID >>> from the changelog and the problem should not reoccur with >>> RIDs cleaned with the fix, of course th echangelog can still >>> can contain references to RIDs cleaned before the fix - and >>> if no changelog trimming is configured this is what will >>> happen. So, even after the fix old RUVs could pop up and >>> have to be (finally) cleaned. >>> >>> The other source is that these corrupted rivs can be >>> "imported" from another server by exchanging ruvs in the >>> repl protocol. Cleanallruv tries to address this and to >>> propagate the cleanallruv tasks to all servers it thinks are >>> connected. If there are replication agreements to servers >>> which no longer exist or to servers which cannot be >>> connetcted this will delay the ruv cleaning >>> >> >> Hello, >> >> I verified the fix in 1.3.4.2 F22 / 389-ds-base-1.3.4.0-6.el7 >> RHEL7, so after those versions CLEANALLRUV do not create any >> longer corrupted ruv elements. >> According to the timestamp in the ruv (for example >> csn2date.py 5587aa8d0003000e0000 --> 22/06/2015:06:26:21) >> this are old ruv elements. I think Ludwig is right, these >> corrupted ruv-elements come from old cleanallruv before the >> fix was applied. >> >> The problem is that even a fixed server can get those >> corrupted ruv-elements from others servers. >> All servers in the topology should be updated with that fix, >> so that at least they stop creating corrupted ruv-elements. >> Now to get rid of the existing ones, I imagine only brute >> option of recreating replica and reinit... I hope an other >> option is possible. >> >> thanks >> thierry >> For a few minutes - almost an hour actually, I thought there was hope. I found the cleanallruv.pl script and that not only seemed to work, but it wiped the "unable to decode" from all the servers even just running it on one. Sadly, within an hour, they all came back. :-( unable to decode {replica 12} 559f3de60004000c0000 559f3de60004000c0000 unable to decode {replica 14} 5587aa8d0003000e0000 5587aa8d0003000e0000 unable to decode {replica 16} 55bb7b08000500100000 55bb7b08000500100000 unable to decode {replica 25} 55a49242000400190000 55a49242000400190000 unable to decode {replica 29} 55d199a50001001d0000 55d199a50001001d0000 unable to decode {replica 31} 55e4bc680005001f0000 55e4bc680005001f0000 unable to decode {replica 3} 55b8a049000100030000 55b8a049000100030000 unable to decode {replica 5} 55cc82ab041d00050000 55cc82ab041d00050000 I cried... Followed by heavy drinking. ~Janelle -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Sep 1 16:11:08 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 1 Sep 2015 09:11:08 -0700 Subject: [Freeipa-users] CA replicas different views??? Message-ID: <55E5CE1C.7000509@gmail.com> Hello, I am very confused. I have a couple of data centers and as expected, I have setup CA replicas in each DC. However, this is what makes me nervous/afraid of my configs. In one data center, which sitting on a master and issuing: (as seen from ipa006.example.com) ipa-csreplica-manage list I see ipa002.example.com: master BUT as seen from ipa010.example.com ipa002.example.com: CA not configured How is this possible??? ~Janelle From rcritten at redhat.com Tue Sep 1 16:23:04 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Sep 2015 12:23:04 -0400 Subject: [Freeipa-users] CA replicas different views??? In-Reply-To: <55E5CE1C.7000509@gmail.com> References: <55E5CE1C.7000509@gmail.com> Message-ID: <55E5D0E8.5000709@redhat.com> Janelle wrote: > Hello, > > I am very confused. I have a couple of data centers and as expected, I > have setup CA replicas in each DC. However, this is what makes me > nervous/afraid of my configs. In one data center, which sitting on a > master and issuing: > > (as seen from ipa006.example.com) > ipa-csreplica-manage list > > I see > > ipa002.example.com: master > > BUT as seen from ipa010.example.com > > ipa002.example.com: CA not configured > > How is this possible??? > > ~Janelle > It may be an indication of a replication problem. This data is stored in cn=masters,cn=ipa,cn=etc,$SUFFIX It looks for cn=CA for a given host to see if it has the service configured. I would start by looking in that subtree on both hosts. rob From cmohler at oberlin.edu Tue Sep 1 19:16:39 2015 From: cmohler at oberlin.edu (Chris Mohler) Date: Tue, 1 Sep 2015 15:16:39 -0400 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. Message-ID: <55E5F997.4000708@oberlin.edu> Hi List, I'm trying to make a script to add users non interactively with ipa add-user and specify a password of testpw I tried: ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password testpw --gidnumber=0000 --noprivate --shell=/bin/bash #ipa: ERROR: command 'user_add' takes at most 1 argument and this: ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password=testpw --gidnumber=0000 --noprivate --shell=/bin/bash #ipa: error: --password option does not take a value No Luck. Any suggestions? Thanks From CWhite at skytouchtechnology.com Tue Sep 1 19:33:51 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Tue, 1 Sep 2015 19:33:51 +0000 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. In-Reply-To: <55E5F997.4000708@oberlin.edu> References: <55E5F997.4000708@oberlin.edu> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Mohler Sent: Tuesday, September 01, 2015 12:17 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. Hi List, I'm trying to make a script to add users non interactively with ipa add-user and specify a password of testpw I tried: ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password testpw --gidnumber=0000 --noprivate --shell=/bin/bash #ipa: ERROR: command 'user_add' takes at most 1 argument and this: ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password=testpw --gidnumber=0000 --noprivate --shell=/bin/bash #ipa: error: --password option does not take a value No Luck. Any suggestions? ----- I will take it a lot further - salt to taste (and watch the line wraps)... #!/bin/sh # # Script to automate adding users # # Updated 12/16/2014 # Craig White # CMD1='/usr/bin/ipa user-add' CMD2='/usr/bin/ipa group-add-member' TEE='/usr/bin/tee -a' LOG='/tmp/ipa_users_add.txt' MAIL='/bin/mailx' KERB=`klist -s; echo $?` > $LOG [[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME LAST_NAME EMAIL GROUPS " && echo " REQUIRED ----> ^ ^ ^ ^" && echo "You can have many groups separated with just a space"; exit 0 ; } [[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - Please create a valid kerberos ticket by typing 'kinit'"; exit 0 ; } if [ -z "$EMAIL" ]; then echo "You need to add EMAIL to your environment variables - type 'export EMAIL=YOUR_EMAIL_ADDRESS' before running this command or better yet, add it to your .bash_profile" exit 0 fi $CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG echo "---- ----- ----- ----- -----" | $TEE $LOG echo "You must login and change your password" | $TEE $LOG echo "SSH to some server you have access to" | $TEE $LOG echo "or" | $TEE $LOG echo "https://_IPA_SERVER_1_/ipa/ui OR https://_IPA_SERVER_2_/ipa/ui" | $TEE $LOG echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -" | $TEE $LOG $CMD2 ipausers --users=$1 | $TEE $LOG if [ -n "$5" ]; then $CMD2 $5 --users=$1 | $TEE $LOG fi if [ -n "$6" ]; then $CMD2 $6 --users=$1 | $TEE $LOG fi if [ -n "$7" ]; then $CMD2 $7 --users=$1 | $TEE $LOG fi if [ -n "$8" ]; then $CMD2 $8 --users=$1 | $TEE $LOG fi if [ -n "$9" ]; then $CMD2 $9 --users=$1 | $TEE $LOG fi echo "See attachment for login information" | $MAIL -s 'New Account Information' -r $EMAIL -a $LOG $4 /bin/rm -f $LOG From abokovoy at redhat.com Tue Sep 1 19:39:37 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 1 Sep 2015 22:39:37 +0300 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. In-Reply-To: <55E5F997.4000708@oberlin.edu> References: <55E5F997.4000708@oberlin.edu> Message-ID: <20150901193937.GG22106@redhat.com> On Tue, 01 Sep 2015, Chris Mohler wrote: >Hi List, >I'm trying to make a script to add users non interactively with ipa >add-user and specify a password of testpw > >I tried: > >ipa user-add username --first=firstname --last=lastname >--homedir=/home/username --password testpw --gidnumber=0000 >--noprivate --shell=/bin/bash >#ipa: ERROR: command 'user_add' takes at most 1 argument > >and this: > >ipa user-add username --first=firstname --last=lastname >--homedir=/home/username --password=testpw --gidnumber=0000 >--noprivate --shell=/bin/bash >#ipa: error: --password option does not take a value > >No Luck. > >Any suggestions? Read the help :) $ ipa help user-add|grep -- --password --password Prompt to set the user password E.g. --password option does not take *any* parameter, it *prompts* to enter the password and expects standard input to provide the password. In the first example you added a parameter after --password and since --password does not consume anything, it was considered as another argument but 'ipa user-add' indeed takes a single argument, thus an error. In the second example you are explicitly forcing --password to take some parameter and is told that it does not accept anything, just like help is saying. What you want can be achieved like this: $ cat /my/password/file | ipa user-add username --first=firstname --last=lastname --password -- / Alexander Bokovoy From prasun.gera at gmail.com Tue Sep 1 18:56:08 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 1 Sep 2015 11:56:08 -0700 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: <558EA478.9040008@redhat.com> References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> Message-ID: So I've again spent a couple of hours debugging a very similar issue. Client install would seemingly pass, but with "Unable to find 'admin' user with 'getent passwd admin at domain'!" at the end. And nobody would be able to authenticate. The reason was that /etc/nsswitch.conf wasn't updated. sss wasn't added to it. Wading through his thread https://www.redhat.com/archives/freeipa-users/2015-March/msg00538.html provided some hints. I have no idea why it did that, but as I have experienced before, modifying critical system files this way from python scripts which don't have proper transnactional support is very dangerous. I suspect that this has something to do with a prior failed install or uninstall attempt which left it in an inconsistent state. Is it possible to move from this backup-modify-restore approach to critical files to something more robust which has transnational guarantees ? On Sat, Jun 27, 2015 at 6:26 AM, Dmitri Pal wrote: > On 06/24/2015 04:31 AM, Jakub Hrozek wrote: > >> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote: >> >>> Thanks. It's good to know that it is fixed upstream. For discussion >>> though, >>> are any enhancements planned for dealing with installation/removal of >>> ipa ? >>> >> Not sure, but please file bugs as you see them. >> >> Yes, please be more specific . The bugs that were mentioned by Jakub are > making its way into downstream. If there are any other issues you are > concerned about please let us know. > > -- > Thank you, > Dmitri Pal > > Director of Engineering for IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmohler at oberlin.edu Tue Sep 1 19:54:22 2015 From: cmohler at oberlin.edu (Chris Mohler) Date: Tue, 1 Sep 2015 15:54:22 -0400 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. In-Reply-To: References: <55E5F997.4000708@oberlin.edu> Message-ID: <55E6026E.8000402@oberlin.edu> Thanks Craig! That's quite a handy reply. It's actually a lot nicer than what I was planning to do. I appreciate this a lot. -Chris On 09/01/2015 03:33 PM, Craig White wrote: > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Mohler > Sent: Tuesday, September 01, 2015 12:17 PM > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. > > Hi List, > I'm trying to make a script to add users non interactively with ipa add-user and specify a password of testpw > > I tried: > > ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password testpw --gidnumber=0000 --noprivate --shell=/bin/bash > #ipa: ERROR: command 'user_add' takes at most 1 argument > > and this: > > ipa user-add username --first=firstname --last=lastname --homedir=/home/username --password=testpw --gidnumber=0000 --noprivate --shell=/bin/bash > #ipa: error: --password option does not take a value > > No Luck. > > Any suggestions? > ----- > I will take it a lot further - salt to taste (and watch the line wraps)... > > #!/bin/sh > # > # Script to automate adding users > # > # Updated 12/16/2014 > # Craig White > # > CMD1='/usr/bin/ipa user-add' > CMD2='/usr/bin/ipa group-add-member' > TEE='/usr/bin/tee -a' > LOG='/tmp/ipa_users_add.txt' > MAIL='/bin/mailx' > KERB=`klist -s; echo $?` >> $LOG > [[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME LAST_NAME EMAIL GROUPS " && echo " REQUIRED ----> ^ ^ ^ ^" && echo "You can have many groups separated with just a space"; exit 0 ; } > [[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - Please create a valid kerberos ticket by typing 'kinit'"; exit 0 ; } > if [ -z "$EMAIL" ]; then > echo "You need to add EMAIL to your environment variables - type 'export EMAIL=YOUR_EMAIL_ADDRESS' before running this command or better yet, add it to your .bash_profile" > exit 0 > fi > > $CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG > echo "---- ----- ----- ----- -----" | $TEE $LOG > echo "You must login and change your password" | $TEE $LOG > echo "SSH to some server you have access to" | $TEE $LOG > echo "or" | $TEE $LOG > echo "https://_IPA_SERVER_1_/ipa/ui OR https://_IPA_SERVER_2_/ipa/ui" | $TEE $LOG > echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -" | $TEE $LOG > $CMD2 ipausers --users=$1 | $TEE $LOG > if [ -n "$5" ]; then > $CMD2 $5 --users=$1 | $TEE $LOG > fi > if [ -n "$6" ]; then > $CMD2 $6 --users=$1 | $TEE $LOG > fi > if [ -n "$7" ]; then > $CMD2 $7 --users=$1 | $TEE $LOG > fi > if [ -n "$8" ]; then > $CMD2 $8 --users=$1 | $TEE $LOG > fi > if [ -n "$9" ]; then > $CMD2 $9 --users=$1 | $TEE $LOG > fi > echo "See attachment for login information" | $MAIL -s 'New Account Information' -r $EMAIL -a $LOG $4 > /bin/rm -f $LOG From janellenicole80 at gmail.com Tue Sep 1 20:06:45 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 1 Sep 2015 13:06:45 -0700 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. In-Reply-To: <55E6026E.8000402@oberlin.edu> References: <55E5F997.4000708@oberlin.edu> <55E6026E.8000402@oberlin.edu> Message-ID: <55E60555.6070105@gmail.com> You could use --random instead of --password, which will force a nice 10 char random PW that can be captured and sent to your user. ~J On 9/1/15 12:54 PM, Chris Mohler wrote: > Thanks Craig! > That's quite a handy reply. It's actually a lot nicer than what I was > planning to do. I appreciate this a lot. > > -Chris > > > On 09/01/2015 03:33 PM, Craig White wrote: >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Mohler >> Sent: Tuesday, September 01, 2015 12:17 PM >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] Ipa add-user non interactively specifying a >> password. >> >> Hi List, >> I'm trying to make a script to add users non interactively with ipa >> add-user and specify a password of testpw >> >> I tried: >> >> ipa user-add username --first=firstname --last=lastname >> --homedir=/home/username --password testpw --gidnumber=0000 >> --noprivate --shell=/bin/bash >> #ipa: ERROR: command 'user_add' takes at most 1 argument >> >> and this: >> >> ipa user-add username --first=firstname --last=lastname >> --homedir=/home/username --password=testpw --gidnumber=0000 >> --noprivate --shell=/bin/bash >> #ipa: error: --password option does not take a value >> >> No Luck. >> >> Any suggestions? >> ----- >> I will take it a lot further - salt to taste (and watch the line >> wraps)... >> >> #!/bin/sh >> # >> # Script to automate adding users >> # >> # Updated 12/16/2014 >> # Craig White >> # >> CMD1='/usr/bin/ipa user-add' >> CMD2='/usr/bin/ipa group-add-member' >> TEE='/usr/bin/tee -a' >> LOG='/tmp/ipa_users_add.txt' >> MAIL='/bin/mailx' >> KERB=`klist -s; echo $?` >>> $LOG >> [[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME >> LAST_NAME EMAIL GROUPS " && echo " REQUIRED ----> ^ >> ^ ^ ^" && echo "You can have many groups separated >> with just a space"; exit 0 ; } >> [[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - >> Please create a valid kerberos ticket by typing 'kinit'"; exit 0 ; } >> if [ -z "$EMAIL" ]; then >> echo "You need to add EMAIL to your environment variables - type >> 'export EMAIL=YOUR_EMAIL_ADDRESS' before running this command or >> better yet, add it to your .bash_profile" >> exit 0 >> fi >> >> $CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG >> echo "---- ----- ----- ----- -----" | $TEE $LOG >> echo "You must login and change your password" | $TEE $LOG >> echo "SSH to some server you have access to" | $TEE $LOG >> echo "or" | $TEE $LOG >> echo "https://_IPA_SERVER_1_/ipa/ui OR >> https://_IPA_SERVER_2_/ipa/ui" | $TEE $LOG >> echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >> - - - - - - - - - - - - - - - - - - -" | $TEE $LOG >> $CMD2 ipausers --users=$1 | $TEE $LOG >> if [ -n "$5" ]; then >> $CMD2 $5 --users=$1 | $TEE $LOG >> fi >> if [ -n "$6" ]; then >> $CMD2 $6 --users=$1 | $TEE $LOG >> fi >> if [ -n "$7" ]; then >> $CMD2 $7 --users=$1 | $TEE $LOG >> fi >> if [ -n "$8" ]; then >> $CMD2 $8 --users=$1 | $TEE $LOG >> fi >> if [ -n "$9" ]; then >> $CMD2 $9 --users=$1 | $TEE $LOG >> fi >> echo "See attachment for login information" | $MAIL -s 'New Account >> Information' -r $EMAIL -a $LOG $4 >> /bin/rm -f $LOG > From cmohler at oberlin.edu Tue Sep 1 20:07:38 2015 From: cmohler at oberlin.edu (Chris Mohler) Date: Tue, 1 Sep 2015 16:07:38 -0400 Subject: [Freeipa-users] Ipa add-user non interactively specifying a password. In-Reply-To: <20150901193937.GG22106@redhat.com> References: <55E5F997.4000708@oberlin.edu> <20150901193937.GG22106@redhat.com> Message-ID: <55E6058A.1060604@oberlin.edu> Thanks Alexander, I tried the help but there were only two choices. Specify a password interactively --password, or randomly generate one with --random. I agree with you the errors in the output are expected I was just hoping for some undocumented magic. Piping the output from cat into the password prompt is a great idea and does fix the issue I was having. It's not really intuitive but still makes me wonder why I didn't think of that. Anyhow I changed it up a bit with echo testpw | ipa user-add username --first=firstname --last=lastname --password --gidnumber=0000 --noprivate --shell=/bin/bash And it totally works. Thank you again. -Chris On 09/01/2015 03:39 PM, Alexander Bokovoy wrote: > On Tue, 01 Sep 2015, Chris Mohler wrote: >> Hi List, >> I'm trying to make a script to add users non interactively with ipa >> add-user and specify a password of testpw >> >> I tried: >> >> ipa user-add username --first=firstname --last=lastname >> --homedir=/home/username --password testpw --gidnumber=0000 >> --noprivate --shell=/bin/bash >> #ipa: ERROR: command 'user_add' takes at most 1 argument >> >> and this: >> >> ipa user-add username --first=firstname --last=lastname >> --homedir=/home/username --password=testpw --gidnumber=0000 >> --noprivate --shell=/bin/bash >> #ipa: error: --password option does not take a value >> >> No Luck. >> >> Any suggestions? > Read the help :) > $ ipa help user-add|grep -- --password > --password Prompt to set the user password > > E.g. --password option does not take *any* parameter, it *prompts* to > enter the password and expects standard input to provide the password. > In the first example you added a parameter after --password and since > --password does not consume anything, it was considered as another > argument but 'ipa user-add' indeed takes a single argument, thus an > error. > > In the second example you are explicitly forcing --password to take some > parameter and is told that it does not accept anything, just like help > is saying. > > What you want can be achieved like this: > > $ cat /my/password/file | ipa user-add username --first=firstname > --last=lastname --password > From gustavo.mateus at gmail.com Tue Sep 1 20:55:39 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Tue, 1 Sep 2015 13:55:39 -0700 Subject: [Freeipa-users] ipa-client on aws (amazon linux) Message-ID: Hi, Does anyone have an updated list of packages or installation steps to get the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more precise). I plan to use Red Hat as my ipa-server but the clients need to be Amazon Linux. Thanks, Gustavo -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Wed Sep 2 05:52:48 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 2 Sep 2015 11:22:48 +0530 Subject: [Freeipa-users] ipa-client on aws (amazon linux) In-Reply-To: References: Message-ID: Hi, Running a freeipa-client on Amazon Linux is a huge challenge. This is because the client depends on SSSD which in turn uses Samba libraries which Amazon Linux does not support. I tried this sometime back and gave up. Instead we went with pam-nss-ldap route which works great with compat ldap schema. Run the "ipa-advise" command for more details. I'm running the pam-nss-ldap client on 2000+ servers in AWS with Amazon Linux. HTH. --Prashant On 2 September 2015 at 02:25, Gustavo Mateus wrote: > Hi, > > Does anyone have an updated list of packages or installation steps to get > the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more > precise). > > I plan to use Red Hat as my ipa-server but the clients need to be Amazon > Linux. > > Thanks, > > Gustavo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Sep 2 07:13:22 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 2 Sep 2015 09:13:22 +0200 Subject: [Freeipa-users] ipa-client on aws (amazon linux) In-Reply-To: References: Message-ID: <20150902071322.GG8927@mail.corp.redhat.com> On (02/09/15 11:22), Prashant Bapat wrote: >Hi, > >Running a freeipa-client on Amazon Linux is a huge challenge. This is >because the client depends on SSSD which in turn uses Samba libraries which >Amazon Linux does not support. sssd >= 1.11 can be compiled without samba libraries. But result is missing ad and ipa provider. So you would need to manually configure sssd with ldap provider against FreeIPA. >I tried this sometime back and gave up. >Instead we went with pam-nss-ldap route which works great with compat ldap >schema. Run the "ipa-advise" command for more details. > >I'm running the pam-nss-ldap client on 2000+ servers in AWS with Amazon >Linux. > ipa-client install has option "--no-sssd" -S, --no-sssd Do not configure the client to use SSSD for authentication LS From lslebodn at redhat.com Wed Sep 2 07:15:22 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 2 Sep 2015 09:15:22 +0200 Subject: [Freeipa-users] User AD can not Login Client Linux In-Reply-To: <20150828064441.GB32704@mail.corp.redhat.com> References: <20150828064441.GB32704@mail.corp.redhat.com> Message-ID: <20150902071521.GH8927@mail.corp.redhat.com> On (28/08/15 08:44), Lukas Slebodnik wrote: >On (23/08/15 17:53), alireza baghery wrote: >>Hi i install Centos 7.1 (IDM Server) >>and integrate with Windows SERVER 2008 R2 Trust >>USER AD can not Login on client (OLE 6.6) but User create idm can login >> >>name IDM SERVER= ipasrv.l.infotechpsp.net >>domain Windows = infotechpsp.net >> >>i execute [ kinit abagheri at infotechpsp.net] on IDM Server >>and klist and show keytab abagheri >>but execute kvno abagher at INFOTECHPSP.NET >>get ERROR kvno Server not found in kerberos database >>please help me and thank you >> >>KLIST >>================================ >> >>Valid starting Expires Service principal >>08/23/15 17:09:53 08/24/15 03:11:34 krbtgt/INFOTECHPSP.NET at INFOTECHPSP.NET >> renew until 08/24/15 17:09:53 >> >>===================================== >> >>Tail LOG /var/log/sssd/ssd_l.infotechpsp.net debug_level = 6 >>===================================== >>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >>[(objectclass=*)][]. >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >>set >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_kinit_send] >>(0x0400): Attempting kinit (default, host/ussd7.l.infotechpsp.net, >>L.INFOTECHPSP.NET, 86400) >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send] >>(0x0200): The status of SRV lookup is resolved >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[be_resolve_server_process] (0x0200): Found address for server >>ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[write_pipe_handler] (0x0400): All data has been sent! >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[read_pipe_handler] (0x0400): EOF received, client finished >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ >>ccache_L.INFOTECHPSP.NET], expired on [1440420165] >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_cli_auth_step] (0x0100): expire timeout is 900 >>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] >>(0x0100): Executing sasl bind mech: GSSAPI, user: host/ >>ussd7.l.infotechpsp.net >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[child_sig_handler] (0x0100): child [13370] finished successfully. >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[fo_set_port_status] (0x0100): Marking port 389 of server ' >>ipasrv.l.infotechpsp.net' as 'working' >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[set_server_common_status] (0x0100): Marking server ' >>ipasrv.l.infotechpsp.net' as 'working' >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >>[objectclass=ipaNTTrustedDomain][cn=trusts,dc=l,dc=infotechpsp,dc=net]. >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] [be_run_online_cb] >>(0x0080): Going online. Running callbacks. >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >>set >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >>[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=l,dc=infotechpsp,dc=net]. >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >>set >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >>[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=l,dc=infotechpsp,dc=net]. >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >>set >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) >>[Success] >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[be_get_account_info] (0x0100): Got request for [4097][1][name=abagheri] >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[ipa_s2n_exop_send] (0x0400): Executing extended operation >>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >>[ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations >>error(1), (null) >There seems to be a problem on server side. >It's is a very likely bug in sssd on FreeIPA server. > >Some AD related fixes are included in latest update in el7.1 >(1.12.2-58.el7_1.14) > >If it does not help please try to upgrade to the latest upstream version >of sssd[1]. I hope it will help otherwise we will need to see log files >from IPA server. > >LS > >[1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > Did it help to upgrade sssd? LS From prashant at apigee.com Wed Sep 2 07:28:44 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 2 Sep 2015 12:58:44 +0530 Subject: [Freeipa-users] ipa-client on aws (amazon linux) In-Reply-To: <20150902071322.GG8927@mail.corp.redhat.com> References: <20150902071322.GG8927@mail.corp.redhat.com> Message-ID: Lukas, ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this rpm cannot be installed. This is the basic issue. Thanks. On 2 September 2015 at 12:43, Lukas Slebodnik wrote: > On (02/09/15 11:22), Prashant Bapat wrote: > >Hi, > > > >Running a freeipa-client on Amazon Linux is a huge challenge. This is > >because the client depends on SSSD which in turn uses Samba libraries > which > >Amazon Linux does not support. > sssd >= 1.11 can be compiled without samba libraries. > But result is missing ad and ipa provider. > So you would need to manually configure sssd with ldap provider against > FreeIPA. > > >I tried this sometime back and gave up. > >Instead we went with pam-nss-ldap route which works great with compat ldap > >schema. Run the "ipa-advise" command for more details. > > > >I'm running the pam-nss-ldap client on 2000+ servers in AWS with Amazon > >Linux. > > > ipa-client install has option "--no-sssd" > -S, --no-sssd Do not configure the client to use SSSD for > authentication > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Sep 2 07:32:12 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 2 Sep 2015 09:32:12 +0200 Subject: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable In-Reply-To: References: Message-ID: <20150902073212.GI8927@mail.corp.redhat.com> On (01/09/15 18:18), Yogesh Sharma wrote: >Hi, > >This is fixed. On digging more found that my resolv.conf was updated and it >was not able to find the domain. Fixing the resolv.conf with right >nameserver, fixed the issue. > I know it was solved but you would not miss important debug message with lover debug level. >>> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >>> Issuing request for [0x40bc10:3:vg4381 at klikpay.int] >>> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] >>> (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] >>> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >>> (0x0400): Entering request [0x40bc10:3:vg4381 at klikpay.int] >>> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] >>> (0x0020): Unable to get information from Data Provider >>> Error: 1, 11, Offline sssd was in offine mode because it was not able to connect to IPA server. LS From lslebodn at redhat.com Wed Sep 2 07:36:39 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 2 Sep 2015 09:36:39 +0200 Subject: [Freeipa-users] ipa-client on aws (amazon linux) In-Reply-To: References: <20150902071322.GG8927@mail.corp.redhat.com> Message-ID: <20150902073638.GJ8927@mail.corp.redhat.com> On (02/09/15 12:58), Prashant Bapat wrote: >Lukas, > >ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this >rpm cannot be installed. This is the basic issue. > Indeed. there is a strict requires for sssd Requires: sssd >= 1.12.3 #from fedora spec file Using ipa-advise might be more comfortable way rather then patch spec file or create modified rpms. LS From lkrispen at redhat.com Wed Sep 2 12:55:54 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 02 Sep 2015 14:55:54 +0200 Subject: [Freeipa-users] stubborn old replicas In-Reply-To: <55E5CF87.9030701@gmail.com> References: <55DDC0D9.5050406@gmail.com> <1440603108.8138.83.camel@willson.usersys.redhat.com> <55DEB75C.3050108@redhat.com> <55DEBF3A.2040509@redhat.com> <55DEC4CE.3040701@redhat.com> <55DF1E34.1030202@gmail.com> <55E5CF87.9030701@gmail.com> Message-ID: <55E6F1DA.8090409@redhat.com> Hi Janelle, On 09/01/2015 06:17 PM, Janelle wrote: > On 8/28/15 8:17 AM, Vaclav Adamec wrote: >> You could try this (RH recommended way). It works for me better than >> cleanallruv.pl as this sometimes leads to >> ldap freeze) >> >> unable to decode: {replica 30} 5548fa200000001e0000 >> 5548fa200000001e0000 unable to decode: {replica 26} >> 5548a9a80000001a0000 5548a9a80000001a0000 >> >> for all of them, on-by-one: >> >> ldapmodify -x -D "cn=directory manager" -w XXXXXXX dn: >> cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >> changetype: modify replace: nsds5task nsds5task: CLEANRUV30 + >> >> >> On Fri, Aug 28, 2015 at 4:55 PM, Guillermo Fuentes >> wrote: >> >> Hi Janelle, >> >> Using the cleanallruv.pl tool was the >> only way I was able to get ride of the "unable to decode: >> {replica x}" entries. >> >> This is how I used it, cleaning a replica ID at a time: >> # For replica id: 40 >> cleanallruv.pl -v -D "cn=directory >> manager" -w - -b 'dc=example,dc=com' -r 40 >> >> Note that the "-w -" will make the tool prompt you for the >> directory manager password. >> >> Hope this helps, >> Guillermo >> >> >> On Thu, Aug 27, 2015 at 10:27 AM, Janelle >> wrote: >> >> On 8/27/15 1:05 AM, thierry bordaz wrote: >>> On 08/27/2015 09:41 AM, Ludwig Krispenz wrote: >>>> >>>> On 08/27/2015 09:08 AM, Martin Kosek wrote: >>>>> On 08/26/2015 05:31 PM, Simo Sorce wrote: >>>>>> On Wed, 2015-08-26 at 06:36 -0700, Janelle wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> My biggest problem is losing replicas and then trying to >>>>>>> delete the >>>>>>> entries and rebuild them. Here is a perfect example, I >>>>>>> simply can't get >>>>>>> rid of these (see below). I have tried (of course after >>>>>>> the ORIGINAL >>>>>>> "ipa-replica-manage del hostname --force --clean": >>>>>>> >>>>>>> ipa-replica-manage clean-ruv 25 >>>>>>> >>>>>>> ldapmodify... with: >>>>>>> dn: cn=clean 25, cn=cleanallruv, cn=tasks, cn=config >>>>>>> objectclass: extensibleObject >>>>>>> replica-base-dn: dc=example,dc=com >>>>>>> replica-id: 25 >>>>>>> cn: clean 25 >>>>>>> >>>>>>> And yet nothing works. Any suggestions? This is perhaps >>>>>>> the most >>>>>>> frustrating part about maintaining IPA. >>>>>>> >>>>>>> ~J >>>>>>> >>>>>>> unable to decode: {replica 12} 5588dc2e0000000c0000 >>>>>>> 559f3de60004000c0000 >>>>>>> unable to decode: {replica 14} 5587aa8d0000000e0000 >>>>>>> 5587aa8d0003000e0000 >>>>>>> unable to decode: {replica 16} 5588f58f000000100000 >>>>>>> 55bb7b08000500100000 >>>>>>> unable to decode: {replica 25} 55a4887b000000190000 >>>>>>> 55a49242000400190000 >>>>>>> unable to decode: {replica 29} 55d199a50001001d0000 >>>>>>> 55d199a50001001d0000 >>>>>>> unable to decode: {replica 3} 5587c5c3000000030000 >>>>>>> 55b8a049000100030000 >>>>>>> unable to decode: {replica 5} 55cc82ab041d00050000 >>>>>>> 55cc82ab041d00050000 >>>>>> Have you tried restarting DS before trying to clean the >>>>>> ruv ? >>>>>> >>>>>> I run in a similar problem in a test install recently, >>>>>> and I got better >>>>>> results that way. The bug is known to the DS people and >>>>>> they are working >>>>>> to get out patches that fix the root issue. >>>>>> >>>>>> Simo. >>>>> CCing DS folks. Wasn't there a recent DS fix that was >>>>> supposed to improve the >>>>> RUV situation? >>>>> >>>>> Looking at 389 DS Trac, I see some interesting RUV fixes >>>>> in 1.3.4.x releases: >>>>> >>>>> https://fedorahosted.org/389/query?summary=~RUV&status=closed&order=milestone&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone >>>>> >>>>> >>>>> >>>>> I see that 389-ds-base-1.3.4.3 is already in Fedora 22+, >>>>> does the RUV issue >>>>> happen there? >>>> it should not, and I think Thierry verified the fix. >>>> The problem we resolved and which we think is the core of >>>> the corrupted RUV was that the cleanallruv task did only >>>> purge the RUV, but dit not purge the changelog. If >>>> cleanallruv was run and the server had a disorderly >>>> shutdown (crash or abort when shutdown was hanging) then at >>>> restart the changelog RUV was rebuilt from the data in the >>>> changelog and if it contained a csn from cleaned RIDs this >>>> was added to the RUV (but the reference to the server was >>>> lost and so the url part is missing from this RUV. >>>> The fix now does remove all references to the cleaned RID >>>> from the changelog and the problem should not reoccur with >>>> RIDs cleaned with the fix, of course th echangelog can >>>> still can contain references to RIDs cleaned before the fix >>>> - and if no changelog trimming is configured this is what >>>> will happen. So, even after the fix old RUVs could pop up >>>> and have to be (finally) cleaned. >>>> >>>> The other source is that these corrupted rivs can be >>>> "imported" from another server by exchanging ruvs in the >>>> repl protocol. Cleanallruv tries to address this and to >>>> propagate the cleanallruv tasks to all servers it thinks >>>> are connected. If there are replication agreements to >>>> servers which no longer exist or to servers which cannot be >>>> connetcted this will delay the ruv cleaning >>>> >>> >>> Hello, >>> >>> I verified the fix in 1.3.4.2 F22 / >>> 389-ds-base-1.3.4.0-6.el7 RHEL7, so after those versions >>> CLEANALLRUV do not create any longer corrupted ruv elements. >>> According to the timestamp in the ruv (for example >>> csn2date.py 5587aa8d0003000e0000 --> 22/06/2015:06:26:21) >>> this are old ruv elements. I think Ludwig is right, these >>> corrupted ruv-elements come from old cleanallruv before the >>> fix was applied. >>> >>> The problem is that even a fixed server can get those >>> corrupted ruv-elements from others servers. >>> All servers in the topology should be updated with that fix, >>> so that at least they stop creating corrupted ruv-elements. >>> Now to get rid of the existing ones, I imagine only brute >>> option of recreating replica and reinit... I hope an other >>> option is possible. >>> >>> thanks >>> thierry >>> > For a few minutes - almost an hour actually, I thought there was > hope. I found the cleanallruv.pl script and that not only seemed to > work, but it wiped the "unable to decode" from all the servers even > just running it on one. Sadly, within an hour, they all came back. :-( > > unable to decode {replica 12} 559f3de60004000c0000 559f3de60004000c0000 > unable to decode {replica 14} 5587aa8d0003000e0000 5587aa8d0003000e0000 > unable to decode {replica 16} 55bb7b08000500100000 55bb7b08000500100000 > unable to decode {replica 25} 55a49242000400190000 55a49242000400190000 > unable to decode {replica 29} 55d199a50001001d0000 55d199a50001001d0000 > unable to decode {replica 31} 55e4bc680005001f0000 55e4bc680005001f0000 > unable to decode {replica 3} 55b8a049000100030000 55b8a049000100030000 > unable to decode {replica 5} 55cc82ab041d00050000 55cc82ab041d00050000 > > I cried... Followed by heavy drinking. does drinking help, could be a great workaround ? Now, more seriously, I think you need a build including the mentioned improvement for cleanallruv, we are currently checking if and where it is available for 7.1. But this fix will only help in future cleanallruvs, so you probably need to go thru a few iterations of cleaning. Since the core problem of the corrupted ruvs is that they can be recreated from the changlog I think configuring changlog trimming is something that should be done. > > ~Janelle > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustavo.mateus at gmail.com Wed Sep 2 18:33:32 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Wed, 2 Sep 2015 11:33:32 -0700 Subject: [Freeipa-users] ipa-client on aws (amazon linux) In-Reply-To: <20150902073638.GJ8927@mail.corp.redhat.com> References: <20150902071322.GG8927@mail.corp.redhat.com> <20150902073638.GJ8927@mail.corp.redhat.com> Message-ID: I think I'll go with ipa-advise for now since my main goal is to move away from openldap and allow AD users to ssh into my linux boxes. And eventually, when AWS decides to finally include ipa-client in amazon linux, I move to that approach. On Wed, Sep 2, 2015 at 12:36 AM, Lukas Slebodnik wrote: > On (02/09/15 12:58), Prashant Bapat wrote: > >Lukas, > > > >ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this > >rpm cannot be installed. This is the basic issue. > > > Indeed. > there is a strict requires for sssd > > Requires: sssd >= 1.12.3 #from fedora spec file > > Using ipa-advise might be more comfortable way rather then > patch spec file or create modified rpms. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wia at iglass.net Wed Sep 2 19:25:50 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Wed, 2 Sep 2015 15:25:50 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles Message-ID: Hello, In trying to script some changes for automount locations. I've noticed 'ipa automountlocation-tofiles' doesn't seem to return everything. As an example: $ ipa automountlocation-tofiles office | grep abg returns nothing for abg. Yes, I have run this without the grep and looked, piped everything to a file and looked. Still nothing for abg and no errors I can see. There are several maps out of about 150 that don't show up with automountlocation-tofiles. However through the web gui they're there and they're there by specifically looking for them. Also works with the clients and autofs. $ ipa automountkey-show office auto.workers --all --key abg dn: description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net Key: abg Mount information: server1:/path1/workers/& description: abg objectclass: automount, top Its been easy enough to manually change the few the that don't get caught by the dump, but been wondering... Any one have an idea? ipa-admintools-3.0.0-47.el6.centos.x86_64 ipa-server-3.0.0-47.el6.centos.x86_64 Thanks, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 2 19:46:38 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Sep 2015 15:46:38 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles In-Reply-To: References: Message-ID: <55E7521E.2030409@redhat.com> Marc Wiatrowski wrote: > Hello, > > In trying to script some changes for automount locations. I've noticed > 'ipa automountlocation-tofiles' doesn't seem to return everything. As > an example: > > $ ipa automountlocation-tofiles office | grep abg > > returns nothing for abg. Yes, I have run this without the grep and > looked, piped everything to a file and looked. Still nothing for abg and > no errors I can see. There are several maps out of about 150 that don't > show up with automountlocation-tofiles. > > However through the web gui they're there and they're there by > specifically looking for them. Also works with the clients and autofs. > > $ ipa automountkey-show office auto.workers --all --key abg > dn: > description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net > Key: abg > Mount information: server1:/path1/workers/& > description: abg > objectclass: automount, top > > Its been easy enough to manually change the few the that don't get > caught by the dump, but been wondering... Any one have an idea? > > ipa-admintools-3.0.0-47.el6.centos.x86_64 > ipa-server-3.0.0-47.el6.centos.x86_64 Does auto.workers show at all? Are the ones that don't show consistent? Are they related in any way? rob From wia at iglass.net Wed Sep 2 20:14:06 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Wed, 2 Sep 2015 16:14:06 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles In-Reply-To: <55E7521E.2030409@redhat.com> References: <55E7521E.2030409@redhat.com> Message-ID: On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> Hello, >> >> In trying to script some changes for automount locations. I've noticed >> 'ipa automountlocation-tofiles' doesn't seem to return everything. As >> an example: >> >> $ ipa automountlocation-tofiles office | grep abg >> >> returns nothing for abg. Yes, I have run this without the grep and >> looked, piped everything to a file and looked. Still nothing for abg and >> no errors I can see. There are several maps out of about 150 that don't >> show up with automountlocation-tofiles. >> >> However through the web gui they're there and they're there by >> specifically looking for them. Also works with the clients and autofs. >> >> $ ipa automountkey-show office auto.workers --all --key abg >> dn: >> >> description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net >> Key: abg >> Mount information: server1:/path1/workers/& >> description: abg >> objectclass: automount, top >> >> Its been easy enough to manually change the few the that don't get >> caught by the dump, but been wondering... Any one have an idea? >> >> ipa-admintools-3.0.0-47.el6.centos.x86_64 >> ipa-server-3.0.0-47.el6.centos.x86_64 >> > > Does auto.workers show at all? > > Are the ones that don't show consistent? Are they related in any way? > > rob Thanks, rob Yes auto.workers shows and lists out about 150 entries. I was trying to keep it cleaner and not inadvertently reveal something confidential by not showing the whole dump. Not to say there isn't, but I don't see anything making them related, key or map. I'll throw in there are 3 ipa servers. Each show the same results. -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Thu Sep 3 01:30:09 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 2 Sep 2015 18:30:09 -0700 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> Message-ID: FYI, I think the culprit (at least one of) is ipa-client-automount --uninstall. This removes sss entirely from nssswitch, not just from the automount section. On Tue, Sep 1, 2015 at 11:56 AM, Prasun Gera wrote: > So I've again spent a couple of hours debugging a very similar issue. > Client install would seemingly pass, but with "Unable to find 'admin' user > with 'getent passwd admin at domain'!" at the end. And nobody would be able > to authenticate. The reason was that /etc/nsswitch.conf wasn't updated. sss > wasn't added to it. Wading through his thread > https://www.redhat.com/archives/freeipa-users/2015-March/msg00538.html > provided some hints. I have no idea why it did that, but as I have > experienced before, modifying critical system files this way from python > scripts which don't have proper transnactional support is very dangerous. I > suspect that this has something to do with a prior failed install or > uninstall attempt which left it in an inconsistent state. Is it possible to > move from this backup-modify-restore approach to critical files to > something more robust which has transnational guarantees ? > > On Sat, Jun 27, 2015 at 6:26 AM, Dmitri Pal wrote: > >> On 06/24/2015 04:31 AM, Jakub Hrozek wrote: >> >>> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote: >>> >>>> Thanks. It's good to know that it is fixed upstream. For discussion >>>> though, >>>> are any enhancements planned for dealing with installation/removal of >>>> ipa ? >>>> >>> Not sure, but please file bugs as you see them. >>> >>> Yes, please be more specific . The bugs that were mentioned by Jakub are >> making its way into downstream. If there are any other issues you are >> concerned about please let us know. >> >> -- >> Thank you, >> Dmitri Pal >> >> Director of Engineering for IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Sep 3 04:12:05 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 Sep 2015 04:12:05 +0000 Subject: [Freeipa-users] Ugrading IPA to dogtag? CA? In-Reply-To: <1427931369.19641.6.camel@willson.usersys.redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> ,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com> Message-ID: It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? regards Steven From jhrozek at redhat.com Thu Sep 3 06:32:28 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 3 Sep 2015 08:32:28 +0200 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> Message-ID: <20150903063228.GG18955@hendrix.redhat.com> On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote: > FYI, I think the culprit (at least one of) is ipa-client-automount > --uninstall. This removes sss entirely from nssswitch, not just from the > automount section. Hmm, I haven't tested that but it sounds like a bug.. I would expect automount uninstall to touch my passwd or group database.. From prasun.gera at gmail.com Thu Sep 3 06:56:52 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 2 Sep 2015 23:56:52 -0700 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: <20150903063228.GG18955@hendrix.redhat.com> References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> <20150903063228.GG18955@hendrix.redhat.com> Message-ID: I have zero confidence in any of the install and uninstall scripts. And this is on RHEL systems. On unofficial ones like Ubuntu, things are even more broken. I really like freeipa, but so far even in a smallish lab environment, it has been a nightmare. I am really tempted to just go back to NIS. Does anyone have any ideas or proposals for making things more robust ? At the very least, I think that these sort of modifications to system files should only happen with package install/removal. Any changes that ipa's scripts do should be local to ipa's internal state. Better would be to have an internal ipa database sort of thing which keeps track of what the current state is so that even if a script dies, which has happened often, the next attempt reads the database and figures out what happened earlier. On Wed, Sep 2, 2015 at 11:32 PM, Jakub Hrozek wrote: > On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote: > > FYI, I think the culprit (at least one of) is ipa-client-automount > > --uninstall. This removes sss entirely from nssswitch, not just from the > > automount section. > > Hmm, I haven't tested that but it sounds like a bug.. I would expect > automount uninstall to touch my passwd or group database.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Sep 3 07:17:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 3 Sep 2015 10:17:48 +0300 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> <20150903063228.GG18955@hendrix.redhat.com> Message-ID: <20150903071748.GM22106@redhat.com> On Wed, 02 Sep 2015, Prasun Gera wrote: >I have zero confidence in any of the install and uninstall scripts. And >this is on RHEL systems. On unofficial ones like Ubuntu, things are even >more broken. I really like freeipa, but so far even in a smallish lab >environment, it has been a nightmare. I am really tempted to just go back >to NIS. Does anyone have any ideas or proposals for making things more >robust ? At the very least, I think that these sort of modifications to >system files should only happen with package install/removal. Any changes >that ipa's scripts do should be local to ipa's internal state. Better would >be to have an internal ipa database sort of thing which keeps track of what >the current state is so that even if a script dies, which has happened >often, the next attempt reads the database and figures out what happened >earlier. File bugs with enough details. It is the only reliable way to fix any issues where environments differ. Install/uninstall scripts work for fresh installs in RHEL and Fedora because this is what is tested. If you have repurposed machines from some other setups, things might differ and only you know what is in your environment. That's not bad or good, that's just different -- the more different environments we see, more robust code can be added. People are infinitely more clever than computers when it comes to configuration files' format mangling. I've seen multiple cases where a claim of 'ipa scripts broke my configuration' was later retracted saying that puppet or other SCM run afterwards did these changes. That just happen, if there are many elephants dancing in the room, a careful coordination is always a good idea. Coming back to your issues, please file bugs -- either upstream or downstream, via distributions, whatever way is more suitable to you. Contributing 'broken' config files would be good too. -- / Alexander Bokovoy From harenberg at physik.uni-wuppertal.de Thu Sep 3 09:08:15 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 3 Sep 2015 11:08:15 +0200 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) Message-ID: <55E80DFF.7050205@physik.uni-wuppertal.de> Dear all, I cannot get an "admin" kerberos token anymore on our main IPA server: [root at ipa log]# kinit admin kinit: Clients credentials have been revoked while getting initial credentials Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: admin at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients credentials have been revoked also login via HTTP is not possible anymore: Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH: HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Additional pre-authentication required Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): closing down fd 11 Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime 1441271092, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): closing down fd 11 Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: admin at PLEIADES.UNI-WUPPERTAL.DE for krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients credentials have been revoked while the same works on the secondary server. I read http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html but this did not give me a clue how to get out of this. I am pretty sure that I never entered a wrong password, but of course someone could have tried to log in on the Web interface. Any idea how this can be resolved? Kind regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From harenberg at physik.uni-wuppertal.de Thu Sep 3 09:19:08 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 3 Sep 2015 11:19:08 +0200 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) In-Reply-To: <55E80DFF.7050205@physik.uni-wuppertal.de> References: <55E80DFF.7050205@physik.uni-wuppertal.de> Message-ID: <55E8108C.2020408@physik.uni-wuppertal.de> Sorry for self-replying, I was able to solve it by using the 2nd IPA server: [root at ipa2 ~]# kinit admin Password for admin at PLEIADES.UNI-WUPPERTAL.DE: [root at ipa2 ~]# ipa user-status admin ----------------------- Account disabled: False ----------------------- Server: ipa.pleiades.uni-wuppertal.de Failed logins: 0 Last successful authentication: 20150903090946Z Last failed authentication: 20150903090808Z Time now: 2015-09-03T09:09:47Z Server: ipa2.pleiades.uni-wuppertal.de Failed logins: 0 Last successful authentication: 20150903090946Z Last failed authentication: 20150903090851Z Time now: 2015-09-03T09:09:47Z ------------------------------------- Anzahl der zur?ckgegebenen Eintr?ge 2 ------------------------------------- [root at ipa2 ~]# ipa user-unlock admin ----------------------------- Konto ?admin? wurde entsperrt ----------------------------- [root at ipa2 ~]# and now it works again on the primary: [root at ipa ~]# kinit admin Password for admin at PLEIADES.UNI-WUPPERTAL.DE: [root at ipa ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin at PLEIADES.UNI-WUPPERTAL.DE Valid starting Expires Service principal 03.09.2015 11:11:07 04.09.2015 11:11:04 krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE [root at ipa ~]# (Sorry for the german messages, my working machine is set to german). Is there any to find out why the admin user was unlocked on the primary machine? And would it be also possible to unlock the "admin" user with one of the accounts inside the "admins" group? I am a bit afraid that we will lock out ourselves next time that happens. Thanks Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From rcritten at redhat.com Thu Sep 3 17:43:38 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Sep 2015 13:43:38 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles In-Reply-To: References: <55E7521E.2030409@redhat.com> Message-ID: <55E886CA.6020205@redhat.com> Marc Wiatrowski wrote: > On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden > wrote: > > Marc Wiatrowski wrote: > > Hello, > > In trying to script some changes for automount locations. I've > noticed > 'ipa automountlocation-tofiles' doesn't seem to return > everything. As > an example: > > $ ipa automountlocation-tofiles office | grep abg > > returns nothing for abg. Yes, I have run this without the grep and > looked, piped everything to a file and looked. Still nothing for > abg and > no errors I can see. There are several maps out of about 150 > that don't > show up with automountlocation-tofiles. > > However through the web gui they're there and they're there by > specifically looking for them. Also works with the clients and > autofs. > > $ ipa automountkey-show office auto.workers --all --key abg > dn: > description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net > Key: abg > Mount information: server1:/path1/workers/& > description: abg > objectclass: automount, top > > Its been easy enough to manually change the few the that don't get > caught by the dump, but been wondering... Any one have an idea? > > ipa-admintools-3.0.0-47.el6.centos.x86_64 > ipa-server-3.0.0-47.el6.centos.x86_64 > > > Does auto.workers show at all? > > Are the ones that don't show consistent? Are they related in any way? > > rob > > > Thanks, rob > > Yes auto.workers shows and lists out about 150 entries. I was trying to > keep it cleaner and not inadvertently reveal something confidential by > not showing the whole dump. > > Not to say there isn't, but I don't see anything making them related, > key or map. > > I'll throw in there are 3 ipa servers. Each show the same results. > The tofiles command does some internal searches. I wonder if some of those are getting truncated results. You might try: ipa config-mod --searchrecordslimit=200 You'll probably need to restart httpd for this new limit to take affect. rob From janellenicole80 at gmail.com Thu Sep 3 17:57:37 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 3 Sep 2015 10:57:37 -0700 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) In-Reply-To: <55E80DFF.7050205@physik.uni-wuppertal.de> References: <55E80DFF.7050205@physik.uni-wuppertal.de> Message-ID: <55E88A11.1040804@gmail.com> You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly. Look in /var/log/dirsrv/slapd-INSTANCE..../errors Look for errors where replication is not starting correctly because of credential problems. You may have to re-init this replica. The reason "admin" is locked out is that something gets screwed up with the keytab file that was originally installed (I have not found the cause yet, only experienced the exact same thing) Once the keytab file is messed up, others servers can't authenticate and therefore the ADMIN account gets locked out. If you restart the server, it will clear for a little while, but go rgiht back to being locked out. Solution - delete the replica and recreate. ~J On 9/3/15 2:08 AM, Torsten Harenberg wrote: > Dear all, > > I cannot get an "admin" kerberos token anymore on our main IPA server: > > [root at ipa log]# kinit admin > kinit: Clients credentials have been revoked while getting initial > credentials > > Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: > admin at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients > credentials have been revoked > > also login via HTTP is not possible anymore: > > Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH: > HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Additional > pre-authentication required > Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > closing down fd 11 > Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime > 1441271092, etypes {rep=18 tkt=18 ses=18}, > HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE > Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > closing down fd 11 > Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): > AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: > admin at PLEIADES.UNI-WUPPERTAL.DE for > krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients > credentials have been revoked > > while the same works on the secondary server. > > I read > > http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html > > but this did not give me a clue how to get out of this. > > I am pretty sure that I never entered a wrong password, but of course > someone could have tried to log in on the Web interface. > > Any idea how this can be resolved? > > Kind regards > > Torsten > From rcritten at redhat.com Thu Sep 3 18:11:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Sep 2015 14:11:25 -0400 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) In-Reply-To: <55E88A11.1040804@gmail.com> References: <55E80DFF.7050205@physik.uni-wuppertal.de> <55E88A11.1040804@gmail.com> Message-ID: <55E88D4D.2060402@redhat.com> Janelle wrote: > You will find, if you check in the ns-slapd "errors" log that this > server may no longer be handling replication correctly. > > Look in /var/log/dirsrv/slapd-INSTANCE..../errors This probably doesn't have anything to do with replication. Lockout is per-master because failed (and successful) logins are not replicated due to the performance issues that would bring. Image 500 people all logging in at the same time in the morning how busy all the masters would be replicating the successes and failures. So this is a perfectly reasonable scenario where on one master the admin has violated the password lockout policy and is locked out but can still log in to other masters. ipa user-status will show the lockout attributes by master. And ipa user-unlock will unlock them. rob > > Look for errors where replication is not starting correctly because of > credential problems. You may have to re-init this replica. > The reason "admin" is locked out is that something gets screwed up with > the keytab file that was originally installed (I have not found the > cause yet, only experienced the exact same thing) > > Once the keytab file is messed up, others servers can't authenticate and > therefore the ADMIN account gets locked out. If you restart the server, > it will clear for a little while, but go rgiht back to being locked out. > > Solution - delete the replica and recreate. > > ~J > > On 9/3/15 2:08 AM, Torsten Harenberg wrote: >> Dear all, >> >> I cannot get an "admin" kerberos token anymore on our main IPA server: >> >> [root at ipa log]# kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: >> admin at PLEIADES.UNI-WUPPERTAL.DE for >> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients >> credentials have been revoked >> >> also login via HTTP is not possible anymore: >> >> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH: >> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Additional >> pre-authentication required >> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> closing down fd 11 >> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime >> 1441271092, etypes {rep=18 tkt=18 ses=18}, >> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE >> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> closing down fd 11 >> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: >> admin at PLEIADES.UNI-WUPPERTAL.DE for >> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients >> credentials have been revoked >> >> while the same works on the secondary server. >> >> I read >> >> http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html >> >> but this did not give me a clue how to get out of this. >> >> I am pretty sure that I never entered a wrong password, but of course >> someone could have tried to log in on the Web interface. >> >> Any idea how this can be resolved? >> >> Kind regards >> >> Torsten >> > From janellenicole80 at gmail.com Thu Sep 3 19:38:22 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 3 Sep 2015 12:38:22 -0700 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) In-Reply-To: <55E88D4D.2060402@redhat.com> References: <55E80DFF.7050205@physik.uni-wuppertal.de> <55E88A11.1040804@gmail.com> <55E88D4D.2060402@redhat.com> Message-ID: <55E8A1AE.2000905@gmail.com> Sorry Rob - I beg to differ here. I can replicate this with my replica failures. It happens that a replica simply loses it's mind. Somehow the keytab gets mucked up and further connections for replication fail -- it shows a failed "admin" login and they add up because the other servers continue. It only happens on the failed replica -- AND I am the only one with the admin PW and there are ZERO failed attempts over SSH. As soon as I get another failed replica in this state (about once every 2-3 weeks) I will post the logs and open a ticket. On one server, I simply did a reboot, and when it came back, the keytab was wrong and the replica now claimed that it was no longer a member of the replica list. Let me get more information and logs to open a ticket. ~J On 9/3/15 11:11 AM, Rob Crittenden wrote: > Janelle wrote: >> You will find, if you check in the ns-slapd "errors" log that this >> server may no longer be handling replication correctly. >> >> Look in /var/log/dirsrv/slapd-INSTANCE..../errors > > This probably doesn't have anything to do with replication. Lockout is > per-master because failed (and successful) logins are not replicated > due to the performance issues that would bring. Image 500 people all > logging in at the same time in the morning how busy all the masters > would be replicating the successes and failures. > > So this is a perfectly reasonable scenario where on one master the > admin has violated the password lockout policy and is locked out but > can still log in to other masters. > > ipa user-status will show the lockout attributes by master. And > ipa user-unlock will unlock them. > > rob > >> >> Look for errors where replication is not starting correctly because of >> credential problems. You may have to re-init this replica. >> The reason "admin" is locked out is that something gets screwed up with >> the keytab file that was originally installed (I have not found the >> cause yet, only experienced the exact same thing) >> >> Once the keytab file is messed up, others servers can't authenticate and >> therefore the ADMIN account gets locked out. If you restart the server, >> it will clear for a little while, but go rgiht back to being locked out. >> >> Solution - delete the replica and recreate. >> >> ~J >> >> On 9/3/15 2:08 AM, Torsten Harenberg wrote: >>> Dear all, >>> >>> I cannot get an "admin" kerberos token anymore on our main IPA server: >>> >>> [root at ipa log]# kinit admin >>> kinit: Clients credentials have been revoked while getting initial >>> credentials >>> >>> Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: >>> admin at PLEIADES.UNI-WUPPERTAL.DE for >>> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients >>> credentials have been revoked >>> >>> also login via HTTP is not possible anymore: >>> >>> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH: >>> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >>> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Additional >>> pre-authentication required >>> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> closing down fd 11 >>> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime >>> 1441271092, etypes {rep=18 tkt=18 ses=18}, >>> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for >>> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE >>> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> closing down fd 11 >>> Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): >>> AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT: >>> admin at PLEIADES.UNI-WUPPERTAL.DE for >>> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Clients >>> credentials have been revoked >>> >>> while the same works on the secondary server. >>> >>> I read >>> >>> http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html >>> >>> but this did not give me a clue how to get out of this. >>> >>> I am pretty sure that I never entered a wrong password, but of course >>> someone could have tried to log in on the Web interface. >>> >>> Any idea how this can be resolved? >>> >>> Kind regards >>> >>> Torsten >>> >> > From wia at iglass.net Thu Sep 3 20:13:00 2015 From: wia at iglass.net (Marc Wiatrowski) Date: Thu, 3 Sep 2015 16:13:00 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles In-Reply-To: <55E886CA.6020205@redhat.com> References: <55E7521E.2030409@redhat.com> <55E886CA.6020205@redhat.com> Message-ID: That looks to have done the trick! (no restart needed) thank you On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden > > wrote: >> >> Marc Wiatrowski wrote: >> >> Hello, >> >> In trying to script some changes for automount locations. I've >> noticed >> 'ipa automountlocation-tofiles' doesn't seem to return >> everything. As >> an example: >> >> $ ipa automountlocation-tofiles office | grep abg >> >> returns nothing for abg. Yes, I have run this without the grep >> and >> looked, piped everything to a file and looked. Still nothing for >> abg and >> no errors I can see. There are several maps out of about 150 >> that don't >> show up with automountlocation-tofiles. >> >> However through the web gui they're there and they're there by >> specifically looking for them. Also works with the clients and >> autofs. >> >> $ ipa automountkey-show office auto.workers --all --key abg >> dn: >> >> description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net >> Key: abg >> Mount information: server1:/path1/workers/& >> description: abg >> objectclass: automount, top >> >> Its been easy enough to manually change the few the that don't get >> caught by the dump, but been wondering... Any one have an idea? >> >> ipa-admintools-3.0.0-47.el6.centos.x86_64 >> ipa-server-3.0.0-47.el6.centos.x86_64 >> >> >> Does auto.workers show at all? >> >> Are the ones that don't show consistent? Are they related in any way? >> >> rob >> >> >> Thanks, rob >> >> Yes auto.workers shows and lists out about 150 entries. I was trying to >> keep it cleaner and not inadvertently reveal something confidential by >> not showing the whole dump. >> >> Not to say there isn't, but I don't see anything making them related, >> key or map. >> >> I'll throw in there are 3 ipa servers. Each show the same results. >> >> > The tofiles command does some internal searches. I wonder if some of those > are getting truncated results. > > You might try: ipa config-mod --searchrecordslimit=200 > > You'll probably need to restart httpd for this new limit to take affect. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 3 20:18:39 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Sep 2015 16:18:39 -0400 Subject: [Freeipa-users] ipa automountlocation-tofiles In-Reply-To: References: <55E7521E.2030409@redhat.com> <55E886CA.6020205@redhat.com> Message-ID: <55E8AB1F.8070205@redhat.com> Marc Wiatrowski wrote: > That looks to have done the trick! (no restart needed) thank you Great. I opened https://fedorahosted.org/freeipa/ticket/5285 to track this. rob > > On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden > wrote: > > Marc Wiatrowski wrote: > > On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden > > >> wrote: > > Marc Wiatrowski wrote: > > Hello, > > In trying to script some changes for automount > locations. I've > noticed > 'ipa automountlocation-tofiles' doesn't seem to return > everything. As > an example: > > $ ipa automountlocation-tofiles office | grep abg > > returns nothing for abg. Yes, I have run this without > the grep and > looked, piped everything to a file and looked. Still > nothing for > abg and > no errors I can see. There are several maps out of > about 150 > that don't > show up with automountlocation-tofiles. > > However through the web gui they're there and they're > there by > specifically looking for them. Also works with the > clients and > autofs. > > $ ipa automountkey-show office auto.workers --all --key abg > dn: > > description=abg,automountmapname=auto.workers,cn=office,cn=automount,dc=iglass,dc=net > Key: abg > Mount information: server1:/path1/workers/& > description: abg > objectclass: automount, top > > Its been easy enough to manually change the few the > that don't get > caught by the dump, but been wondering... Any one have > an idea? > > ipa-admintools-3.0.0-47.el6.centos.x86_64 > ipa-server-3.0.0-47.el6.centos.x86_64 > > > Does auto.workers show at all? > > Are the ones that don't show consistent? Are they related > in any way? > > rob > > > Thanks, rob > > Yes auto.workers shows and lists out about 150 entries. I was > trying to > keep it cleaner and not inadvertently reveal something > confidential by > not showing the whole dump. > > Not to say there isn't, but I don't see anything making them > related, > key or map. > > I'll throw in there are 3 ipa servers. Each show the same results. > > > The tofiles command does some internal searches. I wonder if some of > those are getting truncated results. > > You might try: ipa config-mod --searchrecordslimit=200 > > You'll probably need to restart httpd for this new limit to take affect. > > rob > > From Steven.Jones at vuw.ac.nz Thu Sep 3 20:54:56 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 Sep 2015 20:54:56 +0000 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> ,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com>, Message-ID: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx Directory Manager password: Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and vuwunicoipam003.xxxxxxxxx You will need to reconfigure your replication topology to delete this server. [root at vuwunicoipam001 thing]# ipa-replica-manage list Directory Manager password: vuwunicoipam002.xxxxxxxx master vuwunicoipam003.xxxxxxxx master vuwunicoipam001.xxxxxxxx master [root at vuwunicoipam001 thing]#" So how do I re-configure? regards Steven From rcritten at redhat.com Thu Sep 3 22:00:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Sep 2015 18:00:14 -0400 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> , <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com>, Message-ID: <55E8C2EE.1020708@redhat.com> Steven Jones wrote: > I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, > > "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx > Directory Manager password: > > Deleting a master is irreversible. > To reconnect to the remote master you will need to prepare a new replica file > and re-install. > Continue to delete? [no]: yes > Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and vuwunicoipam003.xxxxxxxxx > You will need to reconfigure your replication topology to delete this server. > [root at vuwunicoipam001 thing]# ipa-replica-manage list > Directory Manager password: > > vuwunicoipam002.xxxxxxxx master > vuwunicoipam003.xxxxxxxx master > vuwunicoipam001.xxxxxxxx master > [root at vuwunicoipam001 thing]#" > > So how do I re-configure? Every server is a master. The only differences may be the services running (CA and/or DNS) and only one generates the CRL and manages certificate renewal. Otherwise they are all equal masters. This doesn't show the topology. Were I to guess it looks like: 001 / \ 002 003 So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 Then you should be able to delete 0001. Just be sure at least one of those other masters has a CA, if not both of them. You may need ipa-csreplica-manage connect to connect that topology. Also be aware of the DNA config. A master doesn't automatically get one. It only gets it when it creates an entry that needs a range. rob From mkosek at redhat.com Fri Sep 4 06:21:58 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Sep 2015 08:21:58 +0200 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: <55E8C2EE.1020708@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> Message-ID: <55E93886.6030007@redhat.com> On 09/04/2015 12:00 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >> try and remove the last one the master? it says, >> >> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx >> Directory Manager password: >> >> Deleting a master is irreversible. >> To reconnect to the remote master you will need to prepare a new replica file >> and re-install. >> Continue to delete? [no]: yes >> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >> vuwunicoipam003.xxxxxxxxx >> You will need to reconfigure your replication topology to delete this server. >> [root at vuwunicoipam001 thing]# ipa-replica-manage list >> Directory Manager password: >> >> vuwunicoipam002.xxxxxxxx master >> vuwunicoipam003.xxxxxxxx master >> vuwunicoipam001.xxxxxxxx master >> [root at vuwunicoipam001 thing]#" >> >> So how do I re-configure? > > Every server is a master. The only differences may be the services running (CA > and/or DNS) and only one generates the CRL and manages certificate renewal. > Otherwise they are all equal masters. > > This doesn't show the topology. Were I to guess it looks like: > > 001 > / \ > 002 003 > > So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 > > Then you should be able to delete 0001. Just be sure at least one of those > other masters has a CA, if not both of them. You may need ipa-csreplica-manage > connect to connect that topology. > > Also be aware of the DNA config. A master doesn't automatically get one. It > only gets it when it creates an entry that needs a range. However, in this case this should not be a problem AFAIK, given that ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: https://fedorahosted.org/freeipa/ticket/3321 Martin From harenberg at physik.uni-wuppertal.de Fri Sep 4 06:57:12 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Fri, 4 Sep 2015 08:57:12 +0200 Subject: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked) In-Reply-To: <55E8A1AE.2000905@gmail.com> References: <55E80DFF.7050205@physik.uni-wuppertal.de> <55E88A11.1040804@gmail.com> <55E88D4D.2060402@redhat.com> <55E8A1AE.2000905@gmail.com> Message-ID: <55E940C8.5060602@physik.uni-wuppertal.de> Janelle, Am 03.09.15 um 21:38 schrieb Janelle: > As soon as I get another failed replica in this state (about once every > 2-3 weeks) I will post the logs and open a ticket. On one server, I > simply did a reboot, and when it came back, the keytab was wrong and the > replica now claimed that it was no longer a member of the replica list. > Let me get more information and logs to open a ticket. May I ask you to post a link to the ticket here once it's open? I am really intereted to follow this issue. Besides only two people having the password here, we have a two-factor authentication on ssh, so there shouldn't be login failures via ssh to valid accounts. I posted my "ipa user-show" output earlier. But we run IPA to authenticate users to a compute cluster of about 3000 job slots, so there are in fact a lot of ssh connections to be handled. And if a flood of jobs is started more or less at the same time, these ssh connections will spread out in parallel. So that could match what Rob was saying. Hope we can find out at the end what is really causing this.. Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From danilo.aghemo at xoul.com Fri Sep 4 10:38:47 2015 From: danilo.aghemo at xoul.com (Danilo Aghemo) Date: Fri, 4 Sep 2015 12:38:47 +0200 Subject: [Freeipa-users] forcing ldaps and https Message-ID: Hi all, how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP? I've google before, but with no results. I know that the server discovery is based upon SRV records in the DNS and these points to 389, not 636. I don't know nor how to change from 389 to 636, nor is this would automatically enable LDAPS on port 636. Then, I have to get rid of HTTP and use HTTPS only. Regards, Danilo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 4 13:16:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Sep 2015 09:16:50 -0400 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: <55E93886.6030007@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> Message-ID: <55E999C2.3060103@redhat.com> Martin Kosek wrote: > On 09/04/2015 12:00 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>> try and remove the last one the master? it says, >>> >>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx >>> Directory Manager password: >>> >>> Deleting a master is irreversible. >>> To reconnect to the remote master you will need to prepare a new replica file >>> and re-install. >>> Continue to delete? [no]: yes >>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >>> vuwunicoipam003.xxxxxxxxx >>> You will need to reconfigure your replication topology to delete this server. >>> [root at vuwunicoipam001 thing]# ipa-replica-manage list >>> Directory Manager password: >>> >>> vuwunicoipam002.xxxxxxxx master >>> vuwunicoipam003.xxxxxxxx master >>> vuwunicoipam001.xxxxxxxx master >>> [root at vuwunicoipam001 thing]#" >>> >>> So how do I re-configure? >> >> Every server is a master. The only differences may be the services running (CA >> and/or DNS) and only one generates the CRL and manages certificate renewal. >> Otherwise they are all equal masters. >> >> This doesn't show the topology. Were I to guess it looks like: >> >> 001 >> / \ >> 002 003 >> >> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 >> >> Then you should be able to delete 0001. Just be sure at least one of those >> other masters has a CA, if not both of them. You may need ipa-csreplica-manage >> connect to connect that topology. >> >> Also be aware of the DNA config. A master doesn't automatically get one. It >> only gets it when it creates an entry that needs a range. > > However, in this case this should not be a problem AFAIK, given that > ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: > > https://fedorahosted.org/freeipa/ticket/3321 Well, Steven didn't mention his version so I assumed 3.0. It doesn't hurt to double-check the ranges in advance. It can still be an issue if one of the masters lacks a DNA range. My patch harvests the DNA range but IIRC doesn't reset the DNA master server on all other masters. So one may still be pointing to nowhere and fail to get a range when needed. rob From rcritten at redhat.com Fri Sep 4 13:26:29 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Sep 2015 09:26:29 -0400 Subject: [Freeipa-users] Ugrading IPA to dogtag? CA? In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> , <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com> Message-ID: <55E99C05.3020706@redhat.com> Steven Jones wrote: > It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? I think it depends heavily on what version of IPA you are running and what you mean by self-signed. rob From yamakasi.014 at gmail.com Fri Sep 4 13:27:01 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 4 Sep 2015 15:27:01 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, Does everyone have this working or gived up on it ? Chers, Matt 2015-08-26 20:07 GMT+02:00 Matt . : > Chris, > > How far are you on this ? I'm stuck atm :( > > I hope you have some reference notes to follow and check out. > > Thanks! > > Matt > > 2015-08-20 22:15 GMT+02:00 Matt . : >> Hi Chris, >> >> Would be great to see! >> >> If I have it working and we have 2-3 testcases I think we can add it >> to the IPA docs! >> >> Keep me updated! >> >> Thanks >> >> Matt >> >> 2015-08-20 8:49 GMT+02:00 Christopher Lamb : >>> Matt >>> >>> Once I got Samba and FreeIPA integrated (by the "good old extensions" >>> path), I always use FreeIPA to administer users. I have never tried the >>> samba tools like smbpasswd. >>> >>> I still have a wiki how-to in the works, but I had to focus on some other >>> issues for a while. >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Youenn PIOLET >>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> "freeipa-users at redhat.com" >>> Date: 20.08.2015 08:12 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> HI Guys, >>> >>> Anyone still a working clue/test here ? >>> >>> I didn't came further as it seems there need to be some domain join / >>> match following the freeipa devs. >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-13 13:09 GMT+02:00 Matt . : >>>> Hi, >>>> >>>> I might have found somthing which I already seen in the logs. >>>> >>>> I did a smbpasswd my username on the samba server, it connects to ldap >>>> very well. I give my new password and get the following: >>>> >>>> smbldap_search_ext: base => [dc=my,dc=domain], filter => >>>> [(&(objectClass=ipaNTGroupAttrs)(| >>> (ipaNTSecurityIdentifier=S-1----my--sid---)))], >>>> scope => [2] >>>> Attribute [displayName] not found. >>>> Could not retrieve 'displayName' attribute from cn=Default SMB >>>> Group,cn=groups,cn=accounts,dc=my,dc=domain >>>> Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) >>>> >>>> So something is missing! >>>> >>>> Thanks so far guys! >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-08-13 12:02 GMT+02:00 Matt . : >>>>> Hi Youenn, >>>>> >>>>> OK thanks! this takes me a little but futher now and I see some good >>>>> stuff in my logging. >>>>> >>>>> I'm testing on a Windows 10 Machine which is not member of an AD or >>>>> so, so that might be my issue for now ? >>>>> >>>>> When testing on the samba box itself as my user I get: >>>>> >>>>> >>>>> [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares >>>>> >>>>> ... >>>>> Checking NTLMSSP password for MSP\myusername failed: >>> NT_STATUS_WRONG_PASSWORD >>>>> ... >>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >>>>> >>>>> >>>>> Maybe I have an issue with encrypted passwords ? >>>>> >>>>> >>>>> When we have this all working, I think we have a howto :D >>>>> >>>>> Thanks! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>>>>> Hi Matt >>>>>> >>>>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>>>>> sambaSamAccount is not needed anymore that way. >>>>>> - Default IPA Way : won't work if your Windows is not part of a domain >>>>>> controller. DOMAIN\username may work for some users using Windows 7 - >>> not 8 >>>>>> nor 10 (it did for me but I was the only one at the office... quite >>> useless) >>>>>> >>>>>> This config may work on your CentOS (for the ipasam way): >>>>>> workgroup = TEST >>>>>> realm = TEST.NET >>>>>> kerberos method = dedicated keytab >>>>>> dedicated keytab file = FILE:/<.....>/samba.keytab >>>>>> create krb5 conf = no >>>>>> security = user >>>>>> encrypt passwords = true >>>>>> passdb backend = ipasam:ldaps://youripa.test.net >>>>>> ldapsam:trusted = yes >>>>>> ldapsuffix = test.net >>>>>> ldap user suffix = cn=users,cn=accounts >>>>>> ldap group suffix = cn=groups,cn=accounts >>>>>> >>>>>> >>>>>> -- >>>>>> Youenn Piolet >>>>>> piolet.y at gmail.com >>>>>> >>>>>> >>>>>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> OK the default IPA way works great actually when testing it as >>> described >>>>>>> here: >>>>>>> >>>>>>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>> >>>>>>> On the samba server I can auth and see my share where I want to >>> connect >>>>>>> to. >>>>>>> >>>>>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>>>>> as username >>>>>>> >>>>>>> So, the IPA way should work. >>>>>>> >>>>>>> Any comments here ? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>>>>> > HI GUys, >>>>>>> > >>>>>>> > I'm testing this out and I think I almost setup, this on a CentOS >>> samba >>>>>>> > server. >>>>>>> > >>>>>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need >>> to >>>>>>> > add (objectclass=sambaSamAccount)) ? >>>>>>> > >>>>>>> > Info is welcome! >>>>>>> > >>>>>>> > I will report back when I have it working. >>>>>>> > >>>>>>> > Thanks! >>>>>>> > >>>>>>> > Matt >>>>>>> > >>>>>>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>>>>>> > : >>>>>>> >> The next route I will try - is the one Youeen took, using >>> ipa-adtrust >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> From: "Matt ." >>>>>>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >> "freeipa-users at redhat.com" >>>>>>> >> Date: 10.08.2015 10:03 >>>>>>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>>> >> IPA >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> Hi Chris, >>>>>>> >> >>>>>>> >> Okay this is good to hear. >>>>>>> >> >>>>>>> >> But don't we want a IPA managed Scheme ? >>>>>>> >> >>>>>>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a >>> local >>>>>>> >> installed Samba and I wonder why. >>>>>>> >> >>>>>>> >> Good that we make some progres on making it all clear. >>>>>>> >> >>>>>>> >> Cheers, >>>>>>> >> >>>>>>> >> Matt >>>>>>> >> >>>>>>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>>>>>> >> : >>>>>>> >>> ldapsam + the samba extensions, pretty much as described in the >>>>>>> >> Techslaves >>>>>>> >>> article. Once I have a draft for the wiki page, I will mail you. >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> From: "Matt ." >>>>>>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >>> "freeipa-users at redhat.com" >>>>>>> >>> Date: 09.08.2015 21:17 >>>>>>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>>> >>> IPA >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> Hi, >>>>>>> >>> >>>>>>> >>> Yes I know about "anything" but which way did you use now ? >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>>>>>> >> : >>>>>>> >>>> Hi Matt >>>>>>> >>>> >>>>>>> >>>> I am on OEL 7.1. - so anything that works on that should be good >>> for >>>>>>> >> RHEL >>>>>>> >>>> and Centos 7.x >>>>>>> >>>> >>>>>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few >>> days. >>>>>>> >>>> As >>>>>>> >>> we >>>>>>> >>>> have suggested earlier, we will likely end up with several, one >>> for >>>>>>> >>>> each >>>>>>> >>> of >>>>>>> >>>> the possible integration paths. >>>>>>> >>>> >>>>>>> >>>> Chris >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> From: "Matt ." >>>>>>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >>>> "freeipa-users at redhat.com" >>>>>>> >>>> Date: 09.08.2015 16:45 >>>>>>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>>> >>>> IPA >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> Hi Chris, >>>>>>> >>>> >>>>>>> >>>> This sounds great! >>>>>>> >>>> >>>>>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>>>>> >>>> >>>>>>> >>>> Maybe it's good to explain which way you used now in steps too, >>> so we >>>>>>> >>>> can combine or create multiple howto's ? >>>>>>> >>>> >>>>>>> >>>> At least we are going somewhere! >>>>>>> >>>> >>>>>>> >>>> Thanks, >>>>>>> >>>> >>>>>>> >>>> Matt >>>>>>> >>>> >>>>>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>>>>>> >>> : >>>>>>> >>>>> Hi Matt >>>>>>> >>>>> >>>>>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good >>> old >>>>>>> >>> Samba >>>>>>> >>>>> Schema extensions) is up and working, almost flawlessly. >>>>>>> >>>>> >>>>>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>>>>>> >> correct >>>>>>> >>>>> ObjectClasses / attributes required for Samba. >>>>>>> >>>>> >>>>>>> >>>>> So far I have not yet bothered to try the extensions to the >>> WebUI, >>>>>>> >>>> because >>>>>>> >>>>> it is currently giving me the classic "Your session has expired. >>>>>>> >>>>> Please >>>>>>> >>>>> re-login." error which renders the WebUI useless. >>>>>>> >>>>> >>>>>>> >>>>> The only problem I have so far encountered managing Samba / >>> FreeIPA >>>>>>> >>> users >>>>>>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>>>>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>>>>>> >> updated >>>>>>> >>>>> today. >>>>>>> >>>>> >>>>>>> >>>>> There is also an existing alternative to hacking group.py, using >>>>>>> >>>>> "Class >>>>>>> >>>> of >>>>>>> >>>>> Service" (Cos) documented in this thread from February 2015 >>>>>>> >>>>> >>>>>>> >>> >>>>>>> >>> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>>>>> >>>> . >>>>>>> >>>>> I have not yet tried it, but it sounds reasonable. >>>>>>> >>>>> >>>>>>> >>>>> Chris >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> From: "Matt ." >>>>>>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> >>>>> Cc: "freeipa-users at redhat.com" , >>>>>>> >>>>> Youenn >>>>>>> >>>>> PIOLET >>>>>>> >>>>> Date: 06.08.2015 16:19 >>>>>>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>>> >> IPA >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> Hi Chris, >>>>>>> >>>>> >>>>>>> >>>>> OK, than we might create two different versions of the wiki, I >>> think >>>>>>> >>>>> this is nice. >>>>>>> >>>>> >>>>>>> >>>>> I'm still figuring out why I get that: >>>>>>> >>>>> >>>>>>> >>>>> IPA Error 4205: ObjectclassViolation >>>>>>> >>>>> >>>>>>> >>>>> missing attribute "sambaGroupType" required by object class >>>>>>> >>>>> "sambaGroupMapping" >>>>>>> >>>>> >>>>>>> >>>>> Matt >>>>>>> >>>>> >>>>>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>>>>> >>>> : >>>>>>> >>>>>> Hi Matt >>>>>>> >>>>>> >>>>>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>>>>>> >>>>>> FreeIPA >>>>>>> >>>>>> integration paths. >>>>>>> >>>>>> >>>>>>> >>>>>> The route I took is suited where there is no Active Directory >>>>>>> >> involved: >>>>>>> >>>>> In >>>>>>> >>>>>> my case all the Windows, OSX and Linux clients are islands that >>> sit >>>>>>> >>>>>> on >>>>>>> >>>>> the >>>>>>> >>>>>> same network. >>>>>>> >>>>>> >>>>>>> >>>>>> The route that Youenn has taken (unless I have got completely >>> the >>>>>>> >> wrong >>>>>>> >>>>> end >>>>>>> >>>>>> of the stick) requires Active Directory in the architecture. >>>>>>> >>>>>> >>>>>>> >>>>>> Chris >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> From: "Matt ." >>>>>>> >>>>>> To: Youenn PIOLET >>>>>>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >>>>>> "freeipa-users at redhat.com" >>> >>>>>>> >>>>>> Date: 06.08.2015 14:42 >>>>>>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>> >>>>>> against >>>>>>> >>> IPA >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> Hi, >>>>>>> >>>>>> >>>>>>> >>>>>> OK, this sounds already quite logical, but I'm still refering >>> to >>>>>>> >>>>>> the >>>>>>> >>>>>> old howto we found earlier, does that one still apply somewhere >>> or >>>>>>> >>>>>> not >>>>>>> >>>>>> at all ? >>>>>>> >>>>>> >>>>>>> >>>>>> Thanks, >>>>>>> >>>>>> >>>>>>> >>>>>> Matt >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>>>> >>>>>>> Hey guys, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush >>> these >>>>>>> >>>>> days :) >>>>>>> >>>>>>> >>>>>>> >>>>>>> General idea: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On FreeIPA (4.1) >>>>>>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>>>>>> >>>>>>> ipaNTsecurityidentifier >>>>>>> >>>>>>> attribude, also known as SID) >>>>>>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, >>> not >>>>>>> >> here >>>>>>> >>>>> by >>>>>>> >>>>>>> default on users >>>>>>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on >>> user >>>>>>> >>>>>> objects >>>>>>> >>>>>>> - create a CIFS service for your samba server >>>>>>> >>>>>>> - Create user roles/permissions as described here: >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> >>>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >> >>>>>>> >> >>> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>> >>>>>>> >> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>>> >>>>>>> >>>>>> >>>>>>> >>>>>>> so that CIFS service will be able to read >>> ipaNTsecurityidentifier >>>>>>> >>>>>>> and >>>>>>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>>>>>> >> trick) : >>>>>>> >>>>>> scp >>>>>>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also >>> try to >>>>>>> >>>>>> recompile >>>>>>> >>>>>>> it. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>>>>> >>>>>>> - Install server keytab file for CIFS >>>>>>> >>>>>>> - check ipasam.so is here. >>>>>>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>>>>>> >>>>>>> GSSAPI >>>>>>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>>> >>>>>>> - make your smb.conf following the linked thread and restart >>>>>>> >>>>>>> service >>>>>>> >>>>>>> >>>>>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>>>>>> >>>>>>> quickly >>>>>>> >>> and >>>>>>> >>>>>>> ipasam may use quite recent functionalities, the best is to >>> just >>>>>>> >>>>>>> try. >>>>>>> >>>>> You >>>>>>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you >>> need to >>>>>>> >> get >>>>>>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>>> >>>>>>> >>>>>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>>>>> >>>>>>> >>>>>>> >>>>>>> You may want to debug authentication on samba server, I >>> usually do >>>>>>> >>>> this: >>>>>>> >>>>>>> `tail -f /var/log/samba/log* | grep >>>>>>> >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Youenn Piolet >>>>>>> >>>>>>> piolet.y at gmail.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> This sounds great to me too, but a howto would help to make >>> it >>>>>>> >>>>>>>> more >>>>>>> >>>>>>>> clear about what you have done here. The thread confuses me a >>>>>>> >>>>>>>> little >>>>>>> >>>>>>>> bit. >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> Can you paste your commands so we can test out too and report >>>>>>> >>>>>>>> back ? >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> Thanks! >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> Matt >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>>>> >>>>>> : >>>>>>> >>>>>>>> > Hi Youenn >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Good news that you have got an integration working >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Now you have got it going, and the solution is fresh in >>> your >>>>>>> >>>>>>>> > mind, >>>>>>> >>>>> how >>>>>>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>>>>>> >>>>>>>> > wiki? >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Chris >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > From: Youenn PIOLET >>>>>>> >>>>>>>> > To: "Matt ." >>>>>>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >>>>>>>> > "freeipa-users at redhat.com" >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Date: 05.08.2015 14:51 >>>>>>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> Auth >>>>>>> >>> against >>>>>>> >>>>>> IPA >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Hi guys, >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Thank you so much your previous answers. >>>>>>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>>>>>> >>>>>>>> > thanks >>>>>>> >> to >>>>>>> >>>>>>>> > ipa-adtrust-install --add-sids >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > I found an other way to configure smb here: >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>> >>>>>>> >>>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >> >>>>>>> >> >>> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>> >>>>>>> >> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>>> >>>>>>> >>>>>> >>>>>>> >>>>>>>> > It works perfectly. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>>>>>> >> server, >>>>>>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam >>> module. >>>>>>> >>>>>>>> > Following the instructions, I created a user role allowing >>>>>>> >>>>>>>> > service >>>>>>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>> >>>>>>>> > ipaNTHash are generated each time a user changes his >>> password. >>>>>>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > For more details, the previously linked thread is quite >>> clear. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Cheers >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > -- >>>>>>> >>>>>>>> > Youenn Piolet >>>>>>> >>>>>>>> > piolet.y at gmail.com >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>>> >>>>>>>> > Hi Chris. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>>>>>> >>>>>>>> > complained >>>>>>> >>>> it >>>>>>> >>>>>>>> > was "already" there. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > I'm still getting: >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > missing attribute "sambaGroupType" required by object >>> class >>>>>>> >>>>>>>> > "sambaGroupMapping" >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > When adding a user. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > I also see "class" as fielname under my "Last name", this >>> is >>>>>>> >>>>>>>> > not >>>>>>> >>>> OK >>>>>>> >>>>>>>> > also. >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>>>>>> >> down :) >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Thanks for the heads up! >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > Matthijs >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>> >>>>>>>> > : >>>>>>> >>>>>>>> > > Hi Matt >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>>>> >>>>>> ipaCustomFields >>>>>>> >>>>>>>> > to >>>>>>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a >>> modify, >>>>>>> >>>>>>>> > as >>>>>>> >>>>>> shown >>>>>>> >>>>>>>> > below: >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > #!RESULT OK >>>>>>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>> >>>>>>>> > > dn: >>> cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> >>>>>>>> > > changetype: modify >>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > After that I then have a visible attribute >>> ipaCustomFields >>>>>>> >>>>>>>> > as >>>>>>> >>>>>>>> > expected. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > When adding the attribute, the wizard offered me >>>>>>> >>>>> "ipaCustomFields" >>>>>>> >>>>>>>> > as >>>>>>> >>>>>>>> > > attribute type in a drop down list. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Once we get this cracked, we really must write a how-to >>> on >>>>>>> >>>>>>>> > the >>>>>>> >>>>>>>> > FreeIPA >>>>>>> >>>>>>>> > > Wiki. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Chris >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> >>>>>>>> > > To: "Matt ." >>>>>>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > > Date: 05.08.2015 07:31 >>>>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>>>> >>>>>>>> > Auth >>>>>>> >>>>>> against >>>>>>> >>>>>>>> > IPA >>>>>>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Hi Matt >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > I also got the same result at that step, but can see >>>>>>> >>>>>>>> > nothing >>>>>>> >> in >>>>>>> >>>>>>>> > Apache >>>>>>> >>>>>>>> > > Directory Studio. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>>>>>> >>>>>>>> > across, >>>>>>> >>>>>> they >>>>>>> >>>>>>>> > > probably were migrated with all the required >>> attributes. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it >>> not >>>>>>> >>>>>>>> > be: >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> >>>>>>>> > > changetype: modify >>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> >>>>>>>> > > EOF >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > I don't want to play around with my prod directory - I >>> will >>>>>>> >>>> setup >>>>>>> >>>>>> an >>>>>>> >>>>>>>> > EL >>>>>>> >>>>>>>> > 7.1 >>>>>>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will >>> allow me >>>>>>> >>>>>>>> > to >>>>>>> >>>>>> play >>>>>>> >>>>>>>> > around >>>>>>> >>>>>>>> > > more destructively. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Chris >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > From: "Matt ." >>>>>>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> >>>>>>>> > > Cc: Youenn PIOLET , " >>>>>>> >>>>>>>> > freeipa-users at redhat.com" >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Date: 05.08.2015 01:01 >>>>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu >>> Samba >>>>>>> >>> Server >>>>>>> >>>>>>>> > Auth >>>>>>> >>>>>>>> > against IPA >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Hi Chris, >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > I'm at the right path, but my issue is that: >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> >>>>>>>> > > changetype: add >>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> >>>>>>>> > > EOF >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, >>> and >>>>>>> >>>>>>>> > when >>>>>>> >>> I >>>>>>> >>>>>> add >>>>>>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>>>>>> >>>>>>>> > user >>>>>>> >> on >>>>>>> >>>>>> this >>>>>>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > So that is my issue I think so far. >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Any clue about that ? >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > No problem "you don't know something or are no guru" we >>> are >>>>>>> >> all >>>>>>> >>>>>>>> > > learning! :) >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Cheers, >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > Matt >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>>>>> >>>>>>>> > >> Hi Matt, Youeen >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Just to set the background properly, I did not invent >>> this >>>>>>> >>>>>> process. >>>>>>> >>>>>>>> > I >>>>>>> >>>>>>>> > > know >>>>>>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>>>>>> >>>>>>>> > Samba, >>>>>>> >>>> but >>>>>>> >>>>>> I >>>>>>> >>>>>>>> > guess >>>>>>> >>>>>>>> > > I >>>>>>> >>>>>>>> > >> was lucky enough to get the integration working on a >>>>>>> >>>>>>>> > Sunday >>>>>>> >>>>>>>> > afternoon. >>>>>>> >>>>>>>> > (I >>>>>>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation >>> as >>>>>>> >>>>>>>> > a >>>>>>> >>>>>>>> > reference). >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> It sounds like we need to step back, and look at the >>> test >>>>>>> >> user >>>>>>> >>>>>> and >>>>>>> >>>>>>>> > group >>>>>>> >>>>>>>> > > in >>>>>>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser >>> makes >>>>>>> >> this >>>>>>> >>>>>> much >>>>>>> >>>>>>>> > > easier. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>>>>>> >>>>>>>> > extensions >>>>>>> >>> in >>>>>>> >>>>>>>> > FreeIPA >>>>>>> >>>>>>>> > >> (cn=accounts, cn=users): >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> * objectClass: sambasamaccount >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, >>> sambaPwdLastSet >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>>>>>> >>>>>>>> > extensions >>>>>>> >>>> in >>>>>>> >>>>>>>> > FreeIPA >>>>>>> >>>>>>>> > >> (cn=accounts, cn=groups): >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> The Users must belong to one or more of the samba >>> groups >>>>>>> >>>>>>>> > that >>>>>>> >>>>> you >>>>>>> >>>>>>>> > have >>>>>>> >>>>>>>> > >> setup. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> If you don't have something similar to the above >>> (which >>>>>>> >> sounds >>>>>>> >>>>>> like >>>>>>> >>>>>>>> > it >>>>>>> >>>>>>>> > is >>>>>>> >>>>>>>> > >> the case), then something went wrong applying the >>>>>>> >>>>>>>> > extensions. >>>>>>> >>>> It >>>>>>> >>>>>>>> > would >>>>>>> >>>>>>>> > be >>>>>>> >>>>>>>> > >> worth testing comparing a new user / group created >>> post >>>>>>> >> adding >>>>>>> >>>>>> the >>>>>>> >>>>>>>> > >> extensions to a previous existing user. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> i.e. >>>>>>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>> >>>>>>>> > >> are the extensions missing on new users / groups? >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Cheers >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Chris >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> From: Youenn PIOLET >>>>>>> >>>>>>>> > >> To: "Matt ." >>>>>>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> >>>>>>>> > >> "freeipa-users at redhat.com" >>>>>>> >>>>> >>>>>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>>>>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba >>> Server >>>>>>> >>>>>>>> > Auth >>>>>>> >>>>>>>> > against >>>>>>> >>>>>>>> > IPA >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Hi there, >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>> >>>>>>>> > >> Here is what I've done and what I've understood: >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> ## SMB Side >>>>>>> >>>>>>>> > >> - Testparm OK >>>>>>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try >>> to >>>>>>> >>>>> connect. >>>>>>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>>>>>> >>>>>>>> > there >>>>>>> >> is >>>>>>> >>>> a >>>>>>> >>>>>>>> > filter : >>>>>>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the >>> users >>>>>>> >>>> don't >>>>>>> >>>>>>>> > have >>>>>>> >>>>>>>> > >> sambaSamAccount. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> ## LDAP / FreeIPA side >>>>>>> >>>>>>>> > >> - Since SMB server uses LDAP, I did >>> ipa-adtrust-install on >>>>>>> >>>>>>>> > my >>>>>>> >>>>>>>> > FreeIPA >>>>>>> >>>>>>>> > >> server to get samba LDAP extensions. >>>>>>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not >>> used >>>>>>> >>>>>>>> > on >>>>>>> >> my >>>>>>> >>>>>>>> > group >>>>>>> >>>>>>>> > >> objects nor my user objects >>>>>>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>>>>>> >>>>>>>> > classes, >>>>>>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In >>> that >>>>>>> >>>>>>>> > state >>>>>>> >>> I >>>>>>> >>>>>>>> > can't >>>>>>> >>>>>>>> > >> create user nor groups anymore, as new samba >>> attributes >>>>>>> >>>>>>>> > are >>>>>>> >>>>>> needed >>>>>>> >>>>>>>> > for >>>>>>> >>>>>>>> > >> instantiation. >>>>>>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>> >>>>>>>> > > Type,sambagrouptype,true' >>>>>>> >>>>>>>> > >> but I don't get what it does. >>>>>>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and >>> adds >>>>>>> >>>>>>>> > the >>>>>>> >>>>>>>> > "local" >>>>>>> >>>>>>>> > > option >>>>>>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>>>>> >>>> sambagrouptype >>>>>>> >>>>>> to >>>>>>> >>>>>>>> > 4 >>>>>>> >>>>>>>> > or >>>>>>> >>>>>>>> > > 2 >>>>>>> >>>>>>>> > >> (domain). It doesn't work and tells that >>> sambagrouptype >>>>>>> >>>>> attribute >>>>>>> >>>>>>>> > doesn't >>>>>>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>>>> >>>>>> default...) >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> ## Questions >>>>>>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and >>> use >>>>>>> >>> unix / >>>>>>> >>>>>>>> > posix >>>>>>> >>>>>>>> > >> instead? I guess no. >>>>>>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>>>>>> >>>>>>>> > requested >>>>>>> >> to >>>>>>> >>>>>> add >>>>>>> >>>>>>>> > >> sambaSamAccount classes. >>>>>>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>>>>>> >>>>>>>> > domain >>>>>>> >>>>>>>> > controller >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>> >>>>>>> >>>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >> >>>>>>> >> >>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >> and netgetlocalsid returns an error. >>>>>>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for >>> user >>>>>>> >>>>> creation, >>>>>>> >>>>>>>> > where >>>>>>> >>>>>>>> > > can >>>>>>> >>>>>>>> > >> I find it? >>>>>>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 >>> and >>>>>>> >>>>>>>> > not >>>>>>> >>>>> only >>>>>>> >>>>>>>> > Windows >>>>>>> >>>>>>>> > >> 7? >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> -- >>>>>>> >>>>>>>> > >> Youenn Piolet >>>>>>> >>>>>>>> > >> piolet.y at gmail.com >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>>>>>> >>>>>>>> > : >>>>>>> >>>>>>>> > >> Hi, >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Yes, log is anonymised. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> It's strange, my user doesn't have a >>> SambaPwdLastSet, >>>>>>> >>>>>>>> > also >>>>>>> >>>>> when >>>>>>> >>>>>> I >>>>>>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> There must be something going wrong I guess. >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> Matt >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>> >>>>>>>> > > >>>>>> >>>>>>>> > >> >: >>>>>>> >>>>>>>> > >> > Hi Matt >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > I assume [username] is a real username, identical >>> to >>>>>>> >>>>>>>> > that >>>>>>> >>>> in >>>>>>> >>>>>>>> > the >>>>>>> >>>>>>>> > >> FreeIPA >>>>>>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised >>> the >>>>>>> >>>>>>>> > log >>>>>>> >>>>>>>> > extract). >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > You user should be a member of the appropriate >>> samba >>>>>>> >>> groups >>>>>>> >>>>>>>> > that >>>>>>> >>>>>>>> > you >>>>>>> >>>>>>>> > >> setup >>>>>>> >>>>>>>> > >> > in FreeIPA. >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > You should check that the user attribute >>>>>>> >>>>>>>> > SambaPwdLastSet >>>>>>> >>> is >>>>>>> >>>>>> set >>>>>>> >>>>>>>> > to >>>>>>> >>>>>>>> > a >>>>>>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error >>> in >>>>>>> >>>>>>>> > the >>>>>>> >>>>> Samba >>>>>>> >>>>>>>> > logs >>>>>>> >>>>>>>> > - >>>>>>> >>>>>>>> > > I >>>>>>> >>>>>>>> > >> > would need to play around again with a test user >>> to >>>>>>> >>>>>>>> > find >>>>>>> >>>> out >>>>>>> >>>>>>>> > the >>>>>>> >>>>>>>> > > exact >>>>>>> >>>>>>>> > >> > error. >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>>>>>> >>>>>>>> > users >>>>>>> >>>>>> local, >>>>>>> >>>>>>>> > but >>>>>>> >>>>>>>> > > we >>>>>>> >>>>>>>> > >> did >>>>>>> >>>>>>>> > >> > not need to do anything like that. >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > Chris >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > From: "Matt ." >>>>>>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>>>>> >>>>> >>>>>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>>>>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>>>>>> >>>>>>>> > Server >>>>>>> >>>> Auth >>>>>>> >>>>>>>> > against >>>>>>> >>>>>>>> > >> IPA >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > Hi Chris, >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > A puppet run added another passdb backend, that >>> was >>>>>>> >>> causing >>>>>>> >>>>>> my >>>>>>> >>>>>>>> > issue. >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > What I still experience is: >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399 >>> (check_sam_security) >>>>>>> >>>>>>>> > >> > check_sam_security: Couldn't find user >>> 'username' in >>>>>>> >>>>>> passdb. >>>>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>> >>>>>>>> > >> > ../source3/auth/auth.c:288 >>> (auth_check_ntlm_password) >>>>>>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>>>>>> >> [username] >>>>>>> >>>>> -> >>>>>>> >>>>>>>> > >> > [username] FAILED with error >>> NT_STATUS_NO_SUCH_USER >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > I also wonder if I shall still sync the users >>> local, >>>>>>> >>>>>>>> > or >>>>>>> >> is >>>>>>> >>>>> it >>>>>>> >>>>>>>> > > needed ? >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > Thanks again, >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > Matt >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>>> >>>>>>>> > >> >> Hi Matt >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> From our smb.conf file: >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> [global] >>>>>>> >>>>>>>> > >> >> security = user >>>>>>> >>>>>>>> > >> >> passdb backend = >>>>>>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for >>> us. I >>>>>>> >> have >>>>>>> >>>>>> not >>>>>>> >>>>>>>> > tried >>>>>>> >>>>>>>> > >> with >>>>>>> >>>>>>>> > >> > a >>>>>>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>>>>>> >>>>>>>> > lesser >>>>>>> >>>>> user >>>>>>> >>>>>>>> > may >>>>>>> >>>>>>>> > not >>>>>>> >>>>>>>> > >> see >>>>>>> >>>>>>>> > >> >> all the required attributes, resulting in "no >>> such >>>>>>> >>>>>>>> > user" >>>>>>> >>>>>>>> > errors. >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> Chris >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> From: "Matt ." >>>>>>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>>>>> >>>>>> >>>>>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>>>>> >>>>>>>> > Server >>>>>>> >>>>> Auth >>>>>>> >>>>>>>> > against >>>>>>> >>>>>>>> > >> IPA >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> Hi Chris, >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see >>> now >>>>>>> >> when >>>>>>> >>>> I >>>>>>> >>>>>>>> > add a >>>>>>> >>>>>>>> > >> >> group from the GUI, great thanks! >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin >>> user >>>>>>> >>>>>>>> > or >>>>>>> >>>> some >>>>>>> >>>>>>>> > other >>>>>>> >>>>>>>> > >> >> admin account ? >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get >>> that >>>>>>> >>>>>>>> > deep >>>>>>> >>>>>> into >>>>>>> >>>>>>>> > IPA. >>>>>>> >>>>>>>> > >> >> Also when starting samba it cannot find "such >>> user" >>>>>>> >>>>>>>> > as >>>>>>> >>>> that >>>>>>> >>>>>>>> > sounds >>>>>>> >>>>>>>> > >> >> quite known as it has no UID. >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> From your config I see you use DM, this should >>> work ? >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> Thanks! >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> Matt >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> >> >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> > >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> -- >>>>>>> >>>>>>>> > >> Manage your subscription for the Freeipa-users >>> mailing >>>>>>> >> list: >>>>>>> >>>>>>>> > >> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>>>> > >> Go to http://freeipa.org for more info on the >>> project >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > >> >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > -- >>>>>>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>>>>>> >>>>>>>> > list: >>>>>>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > -- >>>>>>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing >>> list: >>>>>>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>>> > >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>> >>>>>> >>> >>> >>> >>> From abokovoy at redhat.com Fri Sep 4 13:27:14 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Sep 2015 16:27:14 +0300 Subject: [Freeipa-users] forcing ldaps and https In-Reply-To: References: Message-ID: <20150904132714.GT22106@redhat.com> On Fri, 04 Sep 2015, Danilo Aghemo wrote: >Hi all, >how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP? >I've google before, but with no results. > >I know that the server discovery is based upon SRV records in the DNS and >these points to 389, not 636. I don't know nor how to change from 389 to >636, nor is this would automatically enable LDAPS on port 636. Then, I have >to get rid of HTTP and use HTTPS only. LDAPS is deprecated in favor of StartTLS and not recommended. The client actually uses STARTTLS on port 389, not a plain LDAP. -- / Alexander Bokovoy From mbabinsk at redhat.com Fri Sep 4 14:37:00 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 4 Sep 2015 16:37:00 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> References: <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> <20150728035937.GG21928@redhat.com> <20150828150920.GV22106@redhat.com> <9859EB0E-319F-450E-8ABC-D682C8DC8836@gmail.com> <20150828154119.GY22106@redhat.com> <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> Message-ID: <55E9AC8C.2080907@redhat.com> On 08/28/2015 05:46 PM, Alexandre Ellert wrote: > >> Le 28 ao?t 2015 ? 17:41, Alexander Bokovoy a ?crit : >> >> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>> >>>> Le 28 ao?t 2015 ? 17:09, Alexander Bokovoy a ?crit : >>>> >>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>> >>>>>> Le 28 juil. 2015 ? 05:59, Alexander Bokovoy a ?crit : >>>>>>> If the problem is too hard to solve, maybe I should try to deploy another >>>>>>> replica ? >>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>> occupy my time right now. >>>>>> >>>>> >>>>> >>>>> Can you please tell me the procedure to decommission and re-create a new replica ? >>>>> Are "ipa-server-install ?uninstall" then "ipa-server-install" the only things to do ? >>>> No, you need also to remove the server from the replication topology. >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>> >>>> -- >>>> / Alexander Bokovoy >>> >>> I can?t remove the node on which I have problem with pki-tomcatd : >>> >>> # ipa-replica-manage del xxxx.example.com >>> Deleting a master is irreversible. >>> To reconnect to the remote master you will need to prepare a new replica file >>> and re-install. >>> Continue to delete? [no]: yes >>> Deleting this server is not allowed as it would leave your installation without a CA >>> >>> I seem that it?s the only node where CA is installed. What should I do now ? >> Add a replica with CA using ipa-ca-install on existing replica. >> >> Read the guide, it has detailed coverage of these situations. >> -- >> / Alexander Bokovoy > > On the first node (which is working and without pki-tomcatd service) > # ipa-ca-install > Directory Manager (existing master) password: > > CA is already installed. > > How is it possible ? > > You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica. -- Martin^3 Babinsky From christoph.kaminski at biotronik.com Fri Sep 4 14:37:42 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 4 Sep 2015 16:37:42 +0200 Subject: [Freeipa-users] Problem with replication? Message-ID: Hi we have a lot of this messages in the error log of dirsrv... What can be the problem and how can we fix it? our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int): [04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int): [04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Fri Sep 4 14:49:33 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 4 Sep 2015 16:49:33 +0200 Subject: [Freeipa-users] Faulty LDAP record Message-ID: Hi All, how can I delete a faulty user in IPA 4.1? The record in LDAP look like this: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso It is not possible to delete it over the WebUI and with LDAP Browser I get this error: Deleting is not possible, the following error appears: Error while deleting entry LDAP: error code 32 - No Such Object Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Sep 4 15:07:03 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 04 Sep 2015 17:07:03 +0200 Subject: [Freeipa-users] Problem with replication? In-Reply-To: References: Message-ID: <55E9B397.1030301@redhat.com> On 09/04/2015 04:37 PM, Christoph Kaminski wrote: > Hi > > we have a lot of this messages in the error log of dirsrv... What can > be the problem and how can we fix it? > > our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int): > [04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 > > [04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > [04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > [04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 > > [04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 > > [04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > [04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > [04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 > > [04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 > > [04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > [04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "cn=Replication Manager > masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 > > one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int): > [04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind > id [cn=Replication Manager > masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config] > authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 > (Success) this means you somehow lost the user for authentication in replication. you could try to add it back, as a template use one existing user in ou=csusers,cn=config > > Greetz > Christoph Kaminski > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Sep 4 15:10:01 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 04 Sep 2015 17:10:01 +0200 Subject: [Freeipa-users] Faulty LDAP record In-Reply-To: References: Message-ID: <55E9B449.7060405@redhat.com> On 09/04/2015 04:49 PM, Christoph Kaminski wrote: > Hi All, > > how can I delete a faulty user in IPA 4.1? The record in LDAP look > like this: > nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso this is a replication conflict entry, the user uid=zimt was added in parallel on two servers. you should be able to delete it with ldapmodify ldapmodify ..... dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso changetype: delete > > It is not possible to delete it over the WebUI and with LDAP Browser I > get this error: > > Deleting is not possible, the following error appears: > Error while deleting entry LDAP: error code 32 - No Such Object > > Greetz > Christoph Kaminski > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Sat Sep 5 06:04:03 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 5 Sep 2015 10:34:03 +0430 Subject: [Freeipa-users] user AD not login but user freeipa can login Message-ID: hi i have centos 6.7 (ipa server) and TRUST with windows 2008 r2 (AD) clients centos 6.7 (ipa client sssd 1.12.4) kinit userAD on linux execute successful but users AD not login -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Sat Sep 5 07:22:10 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 5 Sep 2015 11:52:10 +0430 Subject: [Freeipa-users] user AD not login but user freeipa can login In-Reply-To: References: Message-ID: error in file /var/log/sssd/sssd_l.test.com +++++++ [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. +++++++ Also in Server IPA insert in file /etc/sssd/sssd.conf debug_level = 6 and Error /var/log/sssd/sssd_l.test.com ++++++ [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. +++++++ On Sat, Sep 5, 2015 at 10:34 AM, alireza baghery wrote: > hi > i have centos 6.7 (ipa server) and TRUST with windows 2008 r2 (AD) > clients centos 6.7 (ipa client sssd 1.12.4) > kinit userAD on linux execute successful > but users AD not login > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at olivarim.com Sat Sep 5 09:47:45 2015 From: lists at olivarim.com (Marin Bernard) Date: Sat, 05 Sep 2015 11:47:45 +0200 Subject: [Freeipa-users] GSSAPI authentication for libvirt VNC In-Reply-To: <55E5A870.200@gmail.com> References: <1440953389.7321.26.camel@olivarim.com> <55E5A870.200@gmail.com> Message-ID: <1441446465.3035.18.camel@olivarim.com> Hi, Thanks a lot for answering me. Le mardi 01 septembre 2015 ? 09:30 -0400, Brendan Kearney a ?crit : > On 08/30/2015 12:49 PM, Marin Bernard wrote: > > Hi, > > > > I followed the instructions from freeipa.org ( > > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make > > libvirt > > and VNC use GSSAPI authentication with FreeIPA. The libvirt part > > works > > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm > > unable to get a VNC connection to any guest: both virt-manager and > > virt > > -viewer fail. The former speaks about a "closed or refused > > connection", > > and the latter just closes. > > > > > > On the KVM host, each VNC login attempt adds the following record > > to > > the systemd journal: > > > > qemu-kvm[3202]: GSSAPI server step 1 > > > > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems > > correct to me: > > > > # ps -aux | grep qemu-kvm > > > > -vnc 0.0.0.0:0,sasl > > > > > > QEMU may read the VNC keytab > > > > $ ls -l /etc/qemu/ > > total 4 > > -rw-------. 1 qemu root 458 30 ao?t 15:48 krb5.tab > > > > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed) > > > > mech_list: gssapi > > keytab: /etc/qemu/krb5.tab > > > > > > The client seems to grab correct tickets: > > > > $ klist > > Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 > > Default principal: marin at CLOUD.OLIVARIM.COM > > > > Valid starting Expires Service principal > > 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 > > .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr > > l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > > > KVM Host is Centos 7.2, up to date. > > > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. > > 18.el7.centos.4 > > > > Client is Fedora 22, up to date. > > > > I tried to disable both the firewall and SELinux but it did not > > change > > anything. > > > > Do you have any clues ? > > > > Thanks! > > > > Marin. > > > my /etc/sasl2/qemu.conf (note the different file name, may be > relevant*): I had already tried to rename the file to 'qemu.conf', but it didn't make any difference. Note that on CentOS 7.2, the file is named 'qemu -kvm.conf' by default. > > mech_list: gssapi > keytab: /etc/qemu/qemu.keytab > sasldb_path: /etc/qemu/passwd.db > auxprop_plugin: sasldb > My '/etc/sasl2/qemu.conf' file has the same content as yours, except my keytab is named 'krb5.conf'. > my /etc/sasl2/libvirt.conf: > > mech_list: gssapi > keytab: /etc/libvirt/libvirt.keytab > Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has the same config as yours, except for the keytab name. > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC > (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket > /path/to/qemu.keytab" > Done. Keytab is valid: $ sudo klist -Kket qemu/krb5.tab Keytab name: FILE:qemu.keytab KVNO Timestamp Principal ---- ------------------- ---------------------------------------------- -------- 3 30/08/2015 18:12:20 vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM ( aes256-cts-hmac-sha1-96) 3 30/08/2015 18:12:20 vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM ( aes128-cts-hmac-sha1-96) 3 30/08/2015 18:12:20 vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM ( des3-cbc-sha1) 3 30/08/2015 18:12:20 vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM ( arcfour-hmac) > my /etc/libvirt/libvirt.keytab file has the principal used/needed for > virt-manager or virsh console (libvirt/host.domain.tld at REALM). you > can > check your with "klist -Kket /path/to/libvirt.keytab" Done too. The keytab is valid and GSSAPI works fine with it: $ sudo klist -Kket libvirt/krb5.tab Keytab name: FILE:libvirt/krb5.tab KVNO Timestamp Principal ---- ------------------- ---------------------------------------------- -------- 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv arim.com at CLOUD.OLIVARIM.COM (aes256-cts-hmac-sha1-96) 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv arim.com at CLOUD.OLIVARIM.COM (aes128-cts-hmac-sha1-96) 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv arim.com at CLOUD.OLIVARIM.COM (des3-cbc-sha1) 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl-01.core.nice.cloud.oliv arim.com at CLOUD.OLIVARIM.COM (arcfour-hmac) > * the name of the file in /etc/sasl2/ is tied to the name of the > application. find the sysadmin.html page for Cyrus-SASL-libs, which > states: > > By default, the Cyrus SASL library reads it's options from > /usr/lib/sasl2/App.conf (where "App" is the application defined name > of > the application). For instance, Sendmail reads it's configuration > from > "/usr/lib/sasl2/Sendmail.conf" and the sample server application > included with the library looks in "/usr/lib/sasl2/sample.conf". > Here is the contents of my '/etc/sasl2/' directory after I ran 'restorecon': [marin at nice-hkvm-ctrl-01 sasl2]$ ls -lZ -rw-r--r--. root root system_u:object_r:etc_t:s0 libvirt.conf -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 qemu.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 qemu-kvm.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 smtpd.conf 'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems to stick to the default file name ('qemu-kvm.conf') and have no knowledge of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a problem. From gjn at gjn.priv.at Sat Sep 5 10:48:46 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sat, 05 Sep 2015 12:48:46 +0200 Subject: [Freeipa-users] certificate add subject alt Name Message-ID: <3880303.smKUlFW0em@techz> Hello, System CentOS 7. is it possible to change a certificate to add a subject alt name? My "Problem" is, I have a Mail Server with name smtp.example.com and the correct service certificates smtp/smtp.example.com & imap/example.com now I make in my DNS Server (is a external system) a new Record "imap IN CNAME smtp" but this is now missing in the certificate? The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I don?t have a host/imap.example.com. Have any a answer for MY Problem ;-). I can't found nothing but I mean this is working with freeIPA? -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From lists at olivarim.com Sat Sep 5 12:34:48 2015 From: lists at olivarim.com (Marin Bernard) Date: Sat, 05 Sep 2015 14:34:48 +0200 Subject: [Freeipa-users] GSSAPI authentication for libvirt VNC In-Reply-To: <1441446465.3035.18.camel@olivarim.com> References: <1440953389.7321.26.camel@olivarim.com> <55E5A870.200@gmail.com> <1441446465.3035.18.camel@olivarim.com> Message-ID: <1441456488.4685.10.camel@olivarim.com> Hi again, I finally got it working. It appears VNC looks for a file named 'spice.conf' in '/etc/sasl2'. On CentOS 7.2, symlinking '/etc/sasl2/spice.conf' to '/etc/sasl2/qemu-kvm.conf' is enough: $ ls -l /etc/sasl2 total 12 -rw-r--r--. 1 root root 1278 30 ao?t 15:50 libvirt.conf -rw-r--r--. 1 root root 1291 5 sept. 14:12 qemu-kvm.conf -rw-r--r--. 1 root root 49 10 juin 2014 smtpd.conf lrwxrwxrwx. 1 root root 13 5 sept. 14:15 spice.conf -> qemu-kvm.conf Of course, a 'vnc.conf' symlink won't work. It has to be named 'spice.conf' even if you don't use Spice. I think this should be documented somewhere. The freeipa.org VNC howto seems like a good place to mention it. Thanks to Brendan and Rich for helping me to find this out. Marin. Le samedi 05 septembre 2015 ? 11:47 +0200, Marin Bernard a ?crit : > Hi, > > Thanks a lot for answering me. > > Le mardi 01 septembre 2015 ? 09:30 -0400, Brendan Kearney a ?crit : > > On 08/30/2015 12:49 PM, Marin Bernard wrote: > > > Hi, > > > > > > I followed the instructions from freeipa.org ( > > > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make > > > libvirt > > > and VNC use GSSAPI authentication with FreeIPA. The libvirt part > > > works > > > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm > > > unable to get a VNC connection to any guest: both virt-manager > > > and > > > virt > > > -viewer fail. The former speaks about a "closed or refused > > > connection", > > > and the latter just closes. > > > > > > > > > On the KVM host, each VNC login attempt adds the following record > > > to > > > the systemd journal: > > > > > > qemu-kvm[3202]: GSSAPI server step 1 > > > > > > > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems > > > correct to me: > > > > > > # ps -aux | grep qemu-kvm > > > > > > -vnc 0.0.0.0:0,sasl > > > > > > > > > QEMU may read the VNC keytab > > > > > > $ ls -l /etc/qemu/ > > > total 4 > > > -rw-------. 1 qemu root 458 30 ao?t 15:48 krb5.tab > > > > > > > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed) > > > > > > mech_list: gssapi > > > keytab: /etc/qemu/krb5.tab > > > > > > > > > The client seems to grab correct tickets: > > > > > > $ klist > > > Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 > > > Default principal: marin at CLOUD.OLIVARIM.COM > > > > > > Valid starting Expires Service principal > > > 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 > > > .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > > 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr > > > l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > > > > > KVM Host is Centos 7.2, up to date. > > > > > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. > > > 18.el7.centos.4 > > > > > > Client is Fedora 22, up to date. > > > > > > I tried to disable both the firewall and SELinux but it did not > > > change > > > anything. > > > > > > Do you have any clues ? > > > > > > Thanks! > > > > > > Marin. > > > > > my /etc/sasl2/qemu.conf (note the different file name, may be > > relevant*): > > I had already tried to rename the file to 'qemu.conf', but it didn't > make any difference. Note that on CentOS 7.2, the file is named > 'qemu > -kvm.conf' by default. > > > > > mech_list: gssapi > > keytab: /etc/qemu/qemu.keytab > > sasldb_path: /etc/qemu/passwd.db > > auxprop_plugin: sasldb > > > > My '/etc/sasl2/qemu.conf' file has the same content as yours, except > my > keytab is named 'krb5.conf'. > > > my /etc/sasl2/libvirt.conf: > > > > mech_list: gssapi > > keytab: /etc/libvirt/libvirt.keytab > > > > Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has > the > same config as yours, except for the keytab name. > > > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC > > (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket > > /path/to/qemu.keytab" > > > > Done. Keytab is valid: > > $ sudo klist -Kket qemu/krb5.tab > Keytab name: FILE:qemu.keytab > KVNO Timestamp Principal > ---- ------------------- -------------------------------------------- > -- > -------- > 3 30/08/2015 18:12:20 > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > ( > aes256-cts-hmac-sha1-96) > 3 30/08/2015 18:12:20 > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > ( > aes128-cts-hmac-sha1-96) > 3 30/08/2015 18:12:20 > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > ( > des3-cbc-sha1) > 3 30/08/2015 18:12:20 > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > ( > arcfour-hmac) > > > my /etc/libvirt/libvirt.keytab file has the principal used/needed > > for > > virt-manager or virsh console (libvirt/host.domain.tld at REALM). you > > can > > check your with "klist -Kket /path/to/libvirt.keytab" > > Done too. The keytab is valid and GSSAPI works fine with it: > > $ sudo klist -Kket libvirt/krb5.tab > Keytab name: FILE:libvirt/krb5.tab > KVNO Timestamp Principal > ---- ------------------- -------------------------------------------- > -- > -------- > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > -01.core.nice.cloud.oliv > arim.com at CLOUD.OLIVARIM.COM (aes256-cts-hmac-sha1-96) > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > -01.core.nice.cloud.oliv > arim.com at CLOUD.OLIVARIM.COM (aes128-cts-hmac-sha1-96) > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > -01.core.nice.cloud.oliv > arim.com at CLOUD.OLIVARIM.COM (des3-cbc-sha1) > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > -01.core.nice.cloud.oliv > arim.com at CLOUD.OLIVARIM.COM (arcfour-hmac) > > > * the name of the file in /etc/sasl2/ is tied to the name of the > > application. find the sysadmin.html page for Cyrus-SASL-libs, > > which > > states: > > > > By default, the Cyrus SASL library reads it's options from > > /usr/lib/sasl2/App.conf (where "App" is the application defined > > name > > of > > the application). For instance, Sendmail reads it's configuration > > from > > "/usr/lib/sasl2/Sendmail.conf" and the sample server application > > included with the library looks in "/usr/lib/sasl2/sample.conf". > > > > Here is the contents of my '/etc/sasl2/' directory after I ran > 'restorecon': > > [marin at nice-hkvm-ctrl-01 sasl2]$ ls -lZ > -rw-r--r--. root root system_u:object_r:etc_t:s0 libvirt.conf > -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 qemu.conf > -rw-r--r--. root root system_u:object_r:etc_t:s0 qemu-kvm.conf > -rw-r--r--. root root system_u:object_r:etc_t:s0 smtpd.conf > > 'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems > to > stick to the default file name ('qemu-kvm.conf') and have no > knowledge > of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a > problem. > From simo at redhat.com Sat Sep 5 14:09:39 2015 From: simo at redhat.com (Simo Sorce) Date: Sat, 05 Sep 2015 10:09:39 -0400 Subject: [Freeipa-users] GSSAPI authentication for libvirt VNC In-Reply-To: <1441456488.4685.10.camel@olivarim.com> References: <1440953389.7321.26.camel@olivarim.com> <55E5A870.200@gmail.com> <1441446465.3035.18.camel@olivarim.com> <1441456488.4685.10.camel@olivarim.com> Message-ID: <1441462179.3048.43.camel@willson.usersys.redhat.com> On Sat, 2015-09-05 at 14:34 +0200, Marin Bernard wrote: > Hi again, > > I finally got it working. It appears VNC looks for a file named > 'spice.conf' in '/etc/sasl2'. On CentOS 7.2, symlinking > '/etc/sasl2/spice.conf' to '/etc/sasl2/qemu-kvm.conf' is enough: > > $ ls -l /etc/sasl2 > total 12 > -rw-r--r--. 1 root root 1278 30 ao?t 15:50 libvirt.conf > -rw-r--r--. 1 root root 1291 5 sept. 14:12 qemu-kvm.conf > -rw-r--r--. 1 root root 49 10 juin 2014 smtpd.conf > lrwxrwxrwx. 1 root root 13 5 sept. 14:15 spice.conf -> qemu-kvm.conf > > Of course, a 'vnc.conf' symlink won't work. It has to be named > 'spice.conf' even if you don't use Spice. > > I think this should be documented somewhere. The freeipa.org VNC howto > seems like a good place to mention it. It would be nice if you could log into the wiki and add a note. If you have issues with that just send me a pvt email with the text you'd add and I'll make the change. Thanks, Simo. > Thanks to Brendan and Rich for helping me to find this out. > > Marin. > > Le samedi 05 septembre 2015 ? 11:47 +0200, Marin Bernard a ?crit : > > Hi, > > > > Thanks a lot for answering me. > > > > Le mardi 01 septembre 2015 ? 09:30 -0400, Brendan Kearney a ?crit : > > > On 08/30/2015 12:49 PM, Marin Bernard wrote: > > > > Hi, > > > > > > > > I followed the instructions from freeipa.org ( > > > > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make > > > > libvirt > > > > and VNC use GSSAPI authentication with FreeIPA. The libvirt part > > > > works > > > > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm > > > > unable to get a VNC connection to any guest: both virt-manager > > > > and > > > > virt > > > > -viewer fail. The former speaks about a "closed or refused > > > > connection", > > > > and the latter just closes. > > > > > > > > > > > > On the KVM host, each VNC login attempt adds the following record > > > > to > > > > the systemd journal: > > > > > > > > qemu-kvm[3202]: GSSAPI server step 1 > > > > > > > > > > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems > > > > correct to me: > > > > > > > > # ps -aux | grep qemu-kvm > > > > > > > > -vnc 0.0.0.0:0,sasl > > > > > > > > > > > > QEMU may read the VNC keytab > > > > > > > > $ ls -l /etc/qemu/ > > > > total 4 > > > > -rw-------. 1 qemu root 458 30 ao?t 15:48 krb5.tab > > > > > > > > > > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed) > > > > > > > > mech_list: gssapi > > > > keytab: /etc/qemu/krb5.tab > > > > > > > > > > > > The client seems to grab correct tickets: > > > > > > > > $ klist > > > > Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 > > > > Default principal: marin at CLOUD.OLIVARIM.COM > > > > > > > > Valid starting Expires Service principal > > > > 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 > > > > .core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > > > 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr > > > > l-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > > > > > > > KVM Host is Centos 7.2, up to date. > > > > > > > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. > > > > 18.el7.centos.4 > > > > > > > > Client is Fedora 22, up to date. > > > > > > > > I tried to disable both the firewall and SELinux but it did not > > > > change > > > > anything. > > > > > > > > Do you have any clues ? > > > > > > > > Thanks! > > > > > > > > Marin. > > > > > > > my /etc/sasl2/qemu.conf (note the different file name, may be > > > relevant*): > > > > I had already tried to rename the file to 'qemu.conf', but it didn't > > make any difference. Note that on CentOS 7.2, the file is named > > 'qemu > > -kvm.conf' by default. > > > > > > > > mech_list: gssapi > > > keytab: /etc/qemu/qemu.keytab > > > sasldb_path: /etc/qemu/passwd.db > > > auxprop_plugin: sasldb > > > > > > > My '/etc/sasl2/qemu.conf' file has the same content as yours, except > > my > > keytab is named 'krb5.conf'. > > > > > my /etc/sasl2/libvirt.conf: > > > > > > mech_list: gssapi > > > keytab: /etc/libvirt/libvirt.keytab > > > > > > > Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has > > the > > same config as yours, except for the keytab name. > > > > > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC > > > (vnc/host.domain.tld at REALM). you can check yours with "klist -Kket > > > /path/to/qemu.keytab" > > > > > > > Done. Keytab is valid: > > > > $ sudo klist -Kket qemu/krb5.tab > > Keytab name: FILE:qemu.keytab > > KVNO Timestamp Principal > > ---- ------------------- -------------------------------------------- > > -- > > -------- > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > ( > > aes256-cts-hmac-sha1-96) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > ( > > aes128-cts-hmac-sha1-96) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > ( > > des3-cbc-sha1) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim.com at CLOUD.OLIVARIM.COM > > ( > > arcfour-hmac) > > > > > my /etc/libvirt/libvirt.keytab file has the principal used/needed > > > for > > > virt-manager or virsh console (libvirt/host.domain.tld at REALM). you > > > can > > > check your with "klist -Kket /path/to/libvirt.keytab" > > > > Done too. The keytab is valid and GSSAPI works fine with it: > > > > $ sudo klist -Kket libvirt/krb5.tab > > Keytab name: FILE:libvirt/krb5.tab > > KVNO Timestamp Principal > > ---- ------------------- -------------------------------------------- > > -- > > -------- > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim.com at CLOUD.OLIVARIM.COM (aes256-cts-hmac-sha1-96) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim.com at CLOUD.OLIVARIM.COM (aes128-cts-hmac-sha1-96) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim.com at CLOUD.OLIVARIM.COM (des3-cbc-sha1) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim.com at CLOUD.OLIVARIM.COM (arcfour-hmac) > > > > > * the name of the file in /etc/sasl2/ is tied to the name of the > > > application. find the sysadmin.html page for Cyrus-SASL-libs, > > > which > > > states: > > > > > > By default, the Cyrus SASL library reads it's options from > > > /usr/lib/sasl2/App.conf (where "App" is the application defined > > > name > > > of > > > the application). For instance, Sendmail reads it's configuration > > > from > > > "/usr/lib/sasl2/Sendmail.conf" and the sample server application > > > included with the library looks in "/usr/lib/sasl2/sample.conf". > > > > > > > Here is the contents of my '/etc/sasl2/' directory after I ran > > 'restorecon': > > > > [marin at nice-hkvm-ctrl-01 sasl2]$ ls -lZ > > -rw-r--r--. root root system_u:object_r:etc_t:s0 libvirt.conf > > -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 qemu.conf > > -rw-r--r--. root root system_u:object_r:etc_t:s0 qemu-kvm.conf > > -rw-r--r--. root root system_u:object_r:etc_t:s0 smtpd.conf > > > > 'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems > > to > > stick to the default file name ('qemu-kvm.conf') and have no > > knowledge > > of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a > > problem. > > > -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Sat Sep 5 15:46:04 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 5 Sep 2015 17:46:04 +0200 Subject: [Freeipa-users] user AD not login but user freeipa can login In-Reply-To: References: Message-ID: <20150905153945.GA5942@hendrix> On Sat, Sep 05, 2015 at 11:52:10AM +0430, alireza baghery wrote: > error in file /var/log/sssd/sssd_l.test.com > +++++++ > > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: > Operations error(1), Failed to handle the request. > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. > > +++++++ > Also in Server IPA insert in file /etc/sssd/sssd.conf > debug_level = 6 > and Error /var/log/sssd/sssd_l.test.com > ++++++ > > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: > Operations error(1), Failed to handle the request. > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Please read: https://fedorahosted.org/sssd/wiki/Troubleshooting "Common IPA provider issues" and debug according to that guide. There is also https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ that despite the title also describes the data flow. From mmalek at iisg.agh.edu.pl Sat Sep 5 19:12:10 2015 From: mmalek at iisg.agh.edu.pl (=?UTF-8?Q?Mateusz_Ma=c5=82ek?=) Date: Sat, 5 Sep 2015 21:12:10 +0200 Subject: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment In-Reply-To: <55E58BAC.7090202@redhat.com> References: <55DE813E.8010505@iisg.agh.edu.pl> <55E58BAC.7090202@redhat.com> Message-ID: <55EB3E8A.8000207@iisg.agh.edu.pl> W dniu 01.09.2015 o 13:27, Petr Vobornik pisze: > On 08/27/2015 05:17 AM, Mateusz Ma?ek wrote: >> We're trying to adjust FreeIPA to our environment... quite a bit. Here >> are some bullet points: >> >> (...) >> >> For points 3, 5, 6 and to limit available choices in 2, we need to plug >> into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ >> provided us with some basic info how to write plugins. > > Glad to read that the plugin support is used. Especially in this scale. > > I'd like to ask you for a feedback. What are the main things that > would make extending IPA easier for you? I think that some Web UI documentation is needed - some kind of index of available widgets (their names, parameters, some usage examples for more complex widgets like entity_select), dialog windows and facets (like search), examples for various things like how to add new batch actions (with a new button at the top of search view) or to make layout and contents of facets/dialog boxes dependent on which user is using Web UI (like self-service differs from admin view). UI seems extremely extensible and probably many "examples" of how to do different things are already there, but it takes some time to find which part of UI uses them and can be copied to custom module (or adjusted in some other way). Do you have some tips on how to setup programming environment for UI development? >> However, I face some issues when I register my module under different >> entity name instead of overriding user (I want to keep original user >> module available) > > Just curious, why do you want to keep the original user entity object? Maybe not necessarily to keep original entity object, but to manage the same object using two different UI plugins (keeping original module available was quick test of such scenario). We have sysadmins - who can modify all user details - and user administrator - who needs really simple interface for creating new accounts and prolonging validity of existing. > >> It seems that check if (that.entity !== that.managed_entity) in >> freeipa/search.js fails (condition is true), which causes >> managed_entity_pkey_prefix function to return [""] instead of [] - >> object inspection shows both entity and managed_entity refer to user >> entity, but probably these are two different JS objects (and thats why >> they are considered different). Am I doing something wrong or is it some >> bug? > > There is no claim that it should work so I would say that it is a > limitation of original design and unfinished refactoring than a bug. > The code can be improved to support multiple entity objects for the > same IPA object but I'm worried that it can break something else. > > Maybe simple comparison by an entity name would help. Oh, I see. I'll probably try to find other way around, as I'm a bit short on time. Extending FreeIPA is part of my engineering thesis, but at the same time I'm applying my changes to our CentOS-based production environment - that's why I'm trying to keep existing codebase intact (and it would take some time before any changes make their way to packages in RHEL repositories). Thanks, Mateusz Ma?ek From Steven.Jones at vuw.ac.nz Sun Sep 6 20:45:09 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 6 Sep 2015 20:45:09 +0000 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: <55E999C2.3060103@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com>,<55E999C2.3060103@redhat.com> Message-ID: Martin Kosek wrote: > On 09/04/2015 12:00 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>> try and remove the last one the master? it says, >>> >>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx >>> Directory Manager password: >>> >>> Deleting a master is irreversible. >>> To reconnect to the remote master you will need to prepare a new replica file >>> and re-install. >>> Continue to delete? [no]: yes >>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >>> vuwunicoipam003.xxxxxxxxx >>> You will need to reconfigure your replication topology to delete this server. >>> [root at vuwunicoipam001 thing]# ipa-replica-manage list >>> Directory Manager password: >>> >>> vuwunicoipam002.xxxxxxxx master >>> vuwunicoipam003.xxxxxxxx master >>> vuwunicoipam001.xxxxxxxx master >>> [root at vuwunicoipam001 thing]#" >>> >>> So how do I re-configure? >> >> Every server is a master. The only differences may be the services running (CA >> and/or DNS) and only one generates the CRL and manages certificate renewal. >> Otherwise they are all equal masters. >> >> This doesn't show the topology. Were I to guess it looks like: >> >> 001 >> / \ >> 002 003 >> >> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 >> Did that, Topology is now, 002 / \ 001 - 003 We lost 001 so had to promote 002 to the "master". I dont recall nor can find anything in the docs on this process, maybe update you docs to reflect this essential step? > However, in this case this should not be a problem AFAIK, given that > ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: > > https://fedorahosted.org/freeipa/ticket/3321 RHEL6.7, IPA 3.0. I am trying to upgrade to RHEL7.1 and IPA4.1 and want to fix any mistakes made when the setup was first built in RHEL6.2 "Also be aware of the DNA config" oh joy....all these hidden land mines to discover. :( I suppose the next Q is what queries do I have to run in order to collect all the relevant [mis-]config to compare against the ideal and then plan to fix these, and what is the ideal? From Steven.Jones at vuw.ac.nz Sun Sep 6 20:47:01 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 6 Sep 2015 20:47:01 +0000 Subject: [Freeipa-users] Ugrading IPA to dogtag? CA? In-Reply-To: <55E99C05.3020706@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> ,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com> , <55E99C05.3020706@redhat.com> Message-ID: RHEL6.7 and IPA 3.0 "self-signed" not understanding such terminology terribly well, I am not sure at all. What command will tell me what I have? regards Steven ________________________________________ From: Rob Crittenden Sent: Saturday, 5 September 2015 1:26 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? Steven Jones wrote: > It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? I think it depends heavily on what version of IPA you are running and what you mean by self-signed. rob From christoph.kaminski at biotronik.com Mon Sep 7 11:25:39 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Mon, 7 Sep 2015 13:25:39 +0200 Subject: [Freeipa-users] Antwort: Re: Faulty LDAP record In-Reply-To: <55E9B449.7060405@redhat.com> References: <55E9B449.7060405@redhat.com> Message-ID: I got the same error as in ldap browser: ldapmodify -h localhost -D "cn=Directory Manager" -W -x < dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso > changetype: delete > > EOF Enter LDAP Password: deleting entry "nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso" ldap_delete: No such object (32) freeipa-users at redhat.com freeipa-users-bounces at redhat.com schrieb am 04.09.2015 17:10:01: > Von: Ludwig Krispenz > An: freeipa-users at redhat.com > Datum: 04.09.2015 17:08 > Betreff: Re: [Freeipa-users] Faulty LDAP record > Gesendet von: freeipa-users-bounces at redhat.com > > On 09/04/2015 04:49 PM, Christoph Kaminski wrote: > Hi All, > > how can I delete a faulty user in IPA 4.1? The record in LDAP look like this: > nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa > +uid=zimt,cn=users,cn=accounts,dc=hso > this is a replication conflict entry, the user uid=zimt was added in > parallel on two servers. you should be able to delete it with ldapmodify > > ldapmodify ..... > dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa > +uid=zimt,cn=users,cn=accounts,dc=hso > changetype: delete Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From ellertalexandre at gmail.com Mon Sep 7 11:36:09 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Mon, 7 Sep 2015 13:36:09 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: <55E9AC8C.2080907@redhat.com> References: <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> <20150728035937.GG21928@redhat.com> <20150828150920.GV22106@redhat.com> <9859EB0E-319F-450E-8ABC-D682C8DC8836@gmail.com> <20150828154119.GY22106@redhat.com> <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> <55E9AC8C.2080907@redhat.com> Message-ID: > Le 4 sept. 2015 ? 16:37, Martin Babinsky a ?crit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 ao?t 2015 ? 17:41, Alexander Bokovoy a ?crit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 ao?t 2015 ? 17:09, Alexander Bokovoy a ?crit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 ? 05:59, Alexander Bokovoy a ?crit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new replica ? >>>>>> Are "ipa-server-install ?uninstall" then "ipa-server-install" the only things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can?t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del xxxx.example.com >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation without a CA >>>> >>>> I seem that it?s the only node where CA is installed. What should I do now ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica. > > -- > Martin^3 Babinsky I?m still stuck with the correct command line : [root at inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at NUMEEZY.FR password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'inf-ipa.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed From piolet.y at gmail.com Mon Sep 7 12:13:35 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Mon, 7 Sep 2015 14:13:35 +0200 Subject: [Freeipa-users] Antwort: Re: Faulty LDAP record In-Reply-To: References: <55E9B449.7060405@redhat.com> Message-ID: Hi, Did you try to restart the directory server? I had a similar experience in compat tree, maybe your problem is some kind of "ghost" entry that will not reappear after a restart. Regards, -- Youenn Piolet piolet.y at gmail.com 2015-09-07 13:25 GMT+02:00 Christoph Kaminski < christoph.kaminski at biotronik.com>: > I got the same error as in ldap browser: > > ldapmodify -h localhost -D "cn=Directory Manager" -W -x < > dn: > nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso > > changetype: delete > > > > EOF > Enter LDAP Password: > deleting entry > "nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso" > ldap_delete: No such object (32) > freeipa-users at redhat.com > freeipa-users-bounces at redhat.com schrieb am 04.09.2015 17:10:01: > > > Von: Ludwig Krispenz > > An: freeipa-users at redhat.com > > Datum: 04.09.2015 17:08 > > Betreff: Re: [Freeipa-users] Faulty LDAP record > > Gesendet von: freeipa-users-bounces at redhat.com > > > > On 09/04/2015 04:49 PM, Christoph Kaminski wrote: > > Hi All, > > > > how can I delete a faulty user in IPA 4.1? The record in LDAP look like > this: > > nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa > > +uid=zimt,cn=users,cn=accounts,dc=hso > > this is a replication conflict entry, the user uid=zimt was added in > > parallel on two servers. you should be able to delete it with ldapmodify > > > > ldapmodify ..... > > dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa > > +uid=zimt,cn=users,cn=accounts,dc=hso > > changetype: delete > > Greetz > Christoph Kaminski > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Mon Sep 7 12:21:00 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Mon, 7 Sep 2015 14:21:00 +0200 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: Faulty LDAP record In-Reply-To: References: <55E9B449.7060405@redhat.com> Message-ID: Youenn PIOLET schrieb am 07.09.2015 14:13:35: > Von: Youenn PIOLET > An: Christoph Kaminski > Kopie: Ludwig Krispenz , freeipa-users at redhat.com > Datum: 07.09.2015 14:16 > Betreff: Re: [Freeipa-users] Antwort: Re: Faulty LDAP record > > Hi, > Did you try to restart the directory server? > I had a similar experience in compat tree, maybe your problem is > some kind of "ghost" entry that will not reappear after a restart. > > Regards, > yep tried it already... Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.dejaeghere at gmail.com Mon Sep 7 13:00:48 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Mon, 7 Sep 2015 15:00:48 +0200 Subject: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica Message-ID: Hello, I noticed on the couple of installs that I am running that my zones have different soa serial values on both master and replica. I also noticed that this value is changing without adding or removing a record some time during the night. What exactly is changing this and how come these values become inconsistant? For example: Serial on master: 1441509183 Serial on replica: 1441597213 Is this expected? Kind Regards, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmarodin at tiscali.it Tue Sep 8 09:00:49 2015 From: mmarodin at tiscali.it (mmarodin at tiscali.it) Date: Tue, 08 Sep 2015 11:00:49 +0200 Subject: [Freeipa-users] =?utf-8?q?freeipa_cert_validation_failed=2C_SEC?= =?utf-8?q?=5FERROR=5FUNTRUSTED=5FISSUER?= Message-ID: <1b4ba153fedc6d13d8dd008a0c899455@tiscali.it> Hi everyone. I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like distribution. The installation was ok, but now I've some problems operating via CLI: # ipa user-show admin ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. I've got the same problem connectiong via curl, but after doing these command for curl now it works, but not for ipa cli operations: ---------------------- # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt # certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA CA CT,C,C # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust extract ---------------------- And also this command doesn't work: # ipa trust-add --type=ad mydomain.com --admin Administrator --password ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. So ... what's the problem? Let me know, thanks. Morgan Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. E chiami gratis anche i numeri fissi e mobili nel mondo! Scarica subito l?app Vai su https://www.indoona.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Sep 8 10:46:57 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 8 Sep 2015 13:46:57 +0300 Subject: [Freeipa-users] Slow email responses this week from FreeIPA/SSSD teams at Red Hat Message-ID: <20150908104657.GU22106@redhat.com> Hi everyone! We have a gathering of Red Hat members of FreeIPA and SSSD teams in Brno, Czech Republic this week with a lot of design and discussion meetings. Naturally, we try to lock ourselves down in dungeons without wifi access and without laptops (not!) to avoid distractions and great weather of early autumn in Southern Moravia. This has unfortunate effect of reducing our availability on the mailing lists and IRC channels. We are apologizing in case you have something urgent to help with and hope that someone will be able to help as time permits. Once we re-emerge from the dungeons of Red Hat Brno offices, there will be wiki updates and blog posts about what is discussed and reflected on. At least, I have plans to do so on a number of topics. On a brighter note, FreeIPA 4.2.1 is on its way to Fedora 23 repositories. It is currently pending the acceptance to updates-testing repository so we most likely miss Fedora 23 beta release but it gives us chances to test FreeIPA 4.1 to 4.2.1 upgrade path before final Fedora 23 release later this autumn. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15284 Once packages are in the repositories, we'll send a proper announcement of FreeIPA 4.2.1 release. -- / Alexander Bokovoy From mbasti at redhat.com Tue Sep 8 11:06:41 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Sep 2015 13:06:41 +0200 Subject: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica In-Reply-To: References: Message-ID: <55EEC141.8040303@redhat.com> On 09/07/2015 03:00 PM, David Dejaeghere wrote: > Hello, > > I noticed on the couple of installs that I am running that my zones > have different soa serial values on both master and replica. I also > noticed that this value is changing without adding or removing a > record some time during the night. > > What exactly is changing this and how come these values become > inconsistant? > For example: > Serial on master: 1441509183 > Serial on replica: 1441597213 > > Is this expected? > > Kind Regards, > > David > > > Hello, does the replication between master and replica works? -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Sep 8 11:16:36 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 8 Sep 2015 13:16:36 +0200 Subject: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica In-Reply-To: <55EEC141.8040303@redhat.com> References: <55EEC141.8040303@redhat.com> Message-ID: <55EEC394.3060609@redhat.com> On 8.9.2015 13:06, Martin Basti wrote: > > > On 09/07/2015 03:00 PM, David Dejaeghere wrote: >> Hello, >> >> I noticed on the couple of installs that I am running that my zones have >> different soa serial values on both master and replica. I also noticed that >> this value is changing without adding or removing a record some time during >> the night. >> >> What exactly is changing this and how come these values become inconsistant? >> For example: >> Serial on master: 1441509183 >> Serial on replica: 1441597213 >> >> Is this expected? >> >> Kind Regards, >> >> David >> >> >> > Hello, > > does the replication between master and replica works? SOA is specific for replica (as IPA provides multi-master DNS) and is not replicated. SOA serial in each zone is incremented upon BIND restart so e.g. logrotate during night might cause SOA to increment. -- Petr^2 Spacek From david.dejaeghere at gmail.com Tue Sep 8 12:06:13 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Tue, 8 Sep 2015 14:06:13 +0200 Subject: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica In-Reply-To: <55EEC394.3060609@redhat.com> References: <55EEC141.8040303@redhat.com> <55EEC394.3060609@redhat.com> Message-ID: @Martin Basti, yes replication is fine. @Petr. I understood bind restart caused an increment. But I was unaware that this value was not replicated. If I add a record to a zone the SOA serials do get in sync again. But I understand the multimaster setup and now I understand where this nightly increment is comming from. It is indeed logrotate. Kind Regards, David 2015-09-08 13:16 GMT+02:00 Petr Spacek : > On 8.9.2015 13:06, Martin Basti wrote: > > > > > > On 09/07/2015 03:00 PM, David Dejaeghere wrote: > >> Hello, > >> > >> I noticed on the couple of installs that I am running that my zones have > >> different soa serial values on both master and replica. I also noticed > that > >> this value is changing without adding or removing a record some time > during > >> the night. > >> > >> What exactly is changing this and how come these values become > inconsistant? > >> For example: > >> Serial on master: 1441509183 > >> Serial on replica: 1441597213 > >> > >> Is this expected? > >> > >> Kind Regards, > >> > >> David > >> > >> > >> > > Hello, > > > > does the replication between master and replica works? > > SOA is specific for replica (as IPA provides multi-master DNS) and is not > replicated. SOA serial in each zone is incremented upon BIND restart so > e.g. > logrotate during night might cause SOA to increment. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Sep 8 12:30:15 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 8 Sep 2015 14:30:15 +0200 Subject: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica In-Reply-To: References: <55EEC141.8040303@redhat.com> <55EEC394.3060609@redhat.com> Message-ID: <55EED4D7.8030301@redhat.com> On 8.9.2015 14:06, David Dejaeghere wrote: > @Petr. I understood bind restart caused an increment. But I was unaware > that this value was not replicated. If I add a record to a zone the SOA > serials do get in sync again. But I understand the multimaster setup and > now I understand where this nightly increment is comming from. It is indeed > logrotate. For the record, bind-dyndb-ldap tries to set the SOA serial to unix timestamp if old SOA serial < current timestamp. If old SOA serial <= current timestamp then it is incremented by one. This + different logrorate configuration might explain the difference. The consequence is that your DNS slaves should be configured to use the same master all the time and fail over only if the original master is not available. Petr^2 Spacek > Kind Regards, > > David > > 2015-09-08 13:16 GMT+02:00 Petr Spacek : > >> On 8.9.2015 13:06, Martin Basti wrote: >>> >>> >>> On 09/07/2015 03:00 PM, David Dejaeghere wrote: >>>> Hello, >>>> >>>> I noticed on the couple of installs that I am running that my zones have >>>> different soa serial values on both master and replica. I also noticed >> that >>>> this value is changing without adding or removing a record some time >> during >>>> the night. >>>> >>>> What exactly is changing this and how come these values become >> inconsistant? >>>> For example: >>>> Serial on master: 1441509183 >>>> Serial on replica: 1441597213 >>>> >>>> Is this expected? >>>> >>>> Kind Regards, >>>> >>>> David >>>> >>>> >>>> >>> Hello, >>> >>> does the replication between master and replica works? >> >> SOA is specific for replica (as IPA provides multi-master DNS) and is not >> replicated. SOA serial in each zone is incremented upon BIND restart so >> e.g. >> logrotate during night might cause SOA to increment. >> >> -- >> Petr^2 Spacek From morgan at marodin.it Tue Sep 8 13:09:41 2015 From: morgan at marodin.it (Morgan Marodin) Date: Tue, 8 Sep 2015 15:09:41 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: References: Message-ID: I've solved this error, reading this forum: https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html But now when I try to trust to my Active Directory I see these errors: -------------------- # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741258", message "The connection was refused" (both may be "None") Here my logs: -------------------- ==> /var/log/httpd/error_log <== Failed to connect host 192.168.0.65 on port 135 - NT_STATUS_CONNECTION_REFUSED Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED. [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): RemoteRetrieveError ==> /var/log/samba/log.192.168.0.65 <== [2015/09/08 15:01:50.833128, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username IPA\admin is invalid on this system [2015/09/08 15:01:50.833200, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2015/09/08 15:01:50.833236, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED [2015/09/08 15:01:50.852169, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username IPA\admin is invalid on this system [2015/09/08 15:01:50.852222, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2015/09/08 15:01:50.852256, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED -------------------- I don't see any 135 TCP listening port, doing tcpdump I see that it tryes to do a connection in its 135 port. What am I missing? Thanks, Morgan > Subject: [Freeipa-users] freeipa cert validation failed, > SEC_ERROR_UNTRUSTED_ISSUER Date: Tue, 08 Sep 2015 11:00:49 +0200 > > To: > Hi everyone. > > I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like > distribution. > > The installation was ok, but now I've some problems operating via CLI: > # ipa user-show admin > ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O= > IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer > has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': > (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted by the user. > > I've got the same problem connectiong via curl, but after doing these > command for curl now it works, but not for ipa cli operations: > ---------------------- > # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt > # certutil -L -d /etc/pki/nssdb > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > IPA CA CT,C,C > # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ > # update-ca-trust extract > ---------------------- > > And also this command doesn't work: > # ipa trust-add --type=ad mydomain.com --admin Administrator --password > ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O= > IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer > has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': > (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted by the user. > > So ... what's the problem? > > Let me know, thanks. > Morgan > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Sep 8 13:21:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 8 Sep 2015 16:21:19 +0300 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: References: Message-ID: <20150908132119.GV22106@redhat.com> On Tue, 08 Sep 2015, Morgan Marodin wrote: >I've solved this error, reading this forum: >https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html > >But now when I try to trust to my Active Directory I see these errors: >-------------------- ># ipa trust-add --type=ad mydomain.com --admin Administrator --password >Active Directory domain administrator's password: >ipa: ERROR: CIFS server communication error: code "-1073741258", > message "The connection was refused" (both may be "None") > >Here my logs: >-------------------- >==> /var/log/httpd/error_log <== >Failed to connect host 192.168.0.65 on port 135 - >NT_STATUS_CONNECTION_REFUSED >Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 - >NT_STATUS_CONNECTION_REFUSED. >[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: >[jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', >trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', >all=False, raw=False, version=u'2.112'): RemoteRetrieveError > >==> /var/log/samba/log.192.168.0.65 <== >[2015/09/08 15:01:50.833128, 1] >../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > Username IPA\admin is invalid on this system This is your problem. Does your system have SSSD actually running? List of ports that smbd should be listening on on IPA master: # netstat -nltup|grep smbd tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 12420/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 12417/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 12417/smbd tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 12422/smbd tcp6 0 0 :::135 :::* LISTEN 12420/smbd tcp6 0 0 :::139 :::* LISTEN 12417/smbd tcp6 0 0 :::445 :::* LISTEN 12417/smbd tcp6 0 0 :::1024 :::* LISTEN 12422/smbd -- / Alexander Bokovoy From morgan at marodin.it Tue Sep 8 13:45:57 2015 From: morgan at marodin.it (Morgan Marodin) Date: Tue, 8 Sep 2015 15:45:57 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150908132119.GV22106@redhat.com> References: <20150908132119.GV22106@redhat.com> Message-ID: Hi Alexander, thanks for your support. These are my open ports after running sssd: # netstat -nltup | grep smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3149/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3149/smbd After running SSD error doing trust changes: # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name Logs: ==> /var/log/httpd/error_log <== [Tue Sep 08 15:14:46.486031 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', realm_server=u'srv01.MYDOMAIN.com', all=False, raw=False, version=u'2.112'): NotFound ==> /var/log/samba/log.winbindd-idmap <== [2015/09/08 15:14:46.482578, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 15:14:46.483715, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * But DNS seems ok: ------------------------ # dig SRV _ldap._tcp.ipa.mydomain.com @dc01.mydomain.com ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._ tcp.ipa.mydomain.com @dc01.mydomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.ipa.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipa.mydomain.com. 83913 IN SRV 0 100 389 srv01.ipa.mydomain.com. ;; ADDITIONAL SECTION: srv01.ipa.mydomain.com. 3600 IN A 192.168.0.65 ;; Query time: 1 msec ;; SERVER: 192.168.0.31#53(192.168.0.31) ;; WHEN: Tue Sep 08 15:39:03 CEST 2015 ;; MSG SIZE rcvd: 122 # dig SRV _ldap._tcp.ipa.mydomain.com @localhost ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._ tcp.ipa.mydomain.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18190 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.ipa.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipa.mydomain.com. 86400 IN SRV 0 100 389 srv01.ipa.mydomain.com. ;; AUTHORITY SECTION: ipa.mydomain.com. 86400 IN NS srv01.ipa.mydomain.com. ;; ADDITIONAL SECTION: srv01.ipa.mydomain.com. 86400 IN A 192.168.0.65 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 08 15:32:50 CEST 2015 ;; MSG SIZE rcvd: 136 ------------------------ # dig SRV _ldap._tcp.mydomain.com @dc01.mydomain.com ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @ dc01.mydomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60503 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com. _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com. ;; ADDITIONAL SECTION: dc02.mydomain.com. 3600 IN A 192.168.0.15 dc01.mydomain.com. 3600 IN A 192.168.0.31 ;; Query time: 1 msec ;; SERVER: 192.168.0.31#53(192.168.0.31) ;; WHEN: Tue Sep 08 15:33:27 CEST 2015 ;; MSG SIZE rcvd: 172 # dig SRV _ldap._tcp.mydomain.com @localhost ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36890 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com. _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com. ;; AUTHORITY SECTION: . 78287 IN NS c.root-servers.net. . 78287 IN NS g.root-servers.net. . 78287 IN NS f.root-servers.net. . 78287 IN NS e.root-servers.net. . 78287 IN NS i.root-servers.net. . 78287 IN NS b.root-servers.net. . 78287 IN NS d.root-servers.net. . 78287 IN NS m.root-servers.net. . 78287 IN NS h.root-servers.net. . 78287 IN NS a.root-servers.net. . 78287 IN NS j.root-servers.net. . 78287 IN NS l.root-servers.net. . 78287 IN NS k.root-servers.net. ;; ADDITIONAL SECTION: dc01.mydomain.com. 2702 IN A 192.168.0.31 dc02.mydomain.com. 2702 IN A 192.168.0.15 d.root-servers.net. 78287 IN A 199.7.91.13 ;; Query time: 1203 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 08 15:33:12 CEST 2015 ;; MSG SIZE rcvd: 399 ------------------------ I've noticed idmap range error in logs, could be a Samba/Winbind problem? Thanks, Morgan 2015-09-08 15:21 GMT+02:00 Alexander Bokovoy : > On Tue, 08 Sep 2015, Morgan Marodin wrote: > >> I've solved this error, reading this forum: >> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html >> >> But now when I try to trust to my Active Directory I see these errors: >> -------------------- >> # ipa trust-add --type=ad mydomain.com --admin Administrator --password >> Active Directory domain administrator's password: >> ipa: ERROR: CIFS server communication error: code "-1073741258", >> message "The connection was refused" (both may be "None") >> >> Here my logs: >> -------------------- >> ==> /var/log/httpd/error_log <== >> Failed to connect host 192.168.0.65 on port 135 - >> NT_STATUS_CONNECTION_REFUSED >> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 >> - >> NT_STATUS_CONNECTION_REFUSED. >> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: >> [jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', >> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', >> all=False, raw=False, version=u'2.112'): RemoteRetrieveError >> >> ==> /var/log/samba/log.192.168.0.65 <== >> [2015/09/08 15:01:50.833128, 1] >> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> Username IPA\admin is invalid on this system >> > This is your problem. Does your system have SSSD actually running? > > > List of ports that smbd should be listening on on IPA master: > # netstat -nltup|grep smbd > tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN > 12420/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* > LISTEN 12417/smbd tcp 0 0 0.0.0.0:445 > 0.0.0.0:* LISTEN 12417/smbd tcp 0 0 > 0.0.0.0:1024 0.0.0.0:* LISTEN 12422/smbd tcp6 > 0 0 :::135 :::* LISTEN 12420/smbd > tcp6 0 0 :::139 :::* LISTEN > 12417/smbd tcp6 0 0 :::445 :::* > LISTEN 12417/smbd tcp6 0 0 :::1024 > :::* LISTEN 12422/smbd > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Sep 8 14:23:40 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 8 Sep 2015 16:23:40 +0200 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> <55E999C2.3060103@redhat.com> Message-ID: <55EEEF6C.1070006@redhat.com> On 09/06/2015 10:45 PM, Steven Jones wrote: > > Martin Kosek wrote: >> On 09/04/2015 12:00 AM, Rob Crittenden wrote: >>> Steven Jones wrote: >>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>>> try and remove the last one the master? it says, >>>> >>>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx >>>> Directory Manager password: >>>> >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >>>> vuwunicoipam003.xxxxxxxxx >>>> You will need to reconfigure your replication topology to delete this server. >>>> [root at vuwunicoipam001 thing]# ipa-replica-manage list >>>> Directory Manager password: >>>> >>>> vuwunicoipam002.xxxxxxxx master >>>> vuwunicoipam003.xxxxxxxx master >>>> vuwunicoipam001.xxxxxxxx master >>>> [root at vuwunicoipam001 thing]#" >>>> >>>> So how do I re-configure? >>> >>> Every server is a master. The only differences may be the services running (CA >>> and/or DNS) and only one generates the CRL and manages certificate renewal. >>> Otherwise they are all equal masters. >>> >>> This doesn't show the topology. Were I to guess it looks like: >>> >>> 001 >>> / \ >>> 002 003 >>> >>> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 >>> > > Did that, > > Topology is now, > > 002 > / \ > 001 - 003 > > We lost 001 so had to promote 002 to the "master". > > I dont recall nor can find anything in the docs on this process, maybe update you docs to reflect this essential step? > >> However, in this case this should not be a problem AFAIK, given that >> ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: >> >> https://fedorahosted.org/freeipa/ticket/3321 > > RHEL6.7, IPA 3.0. > > I am trying to upgrade to RHEL7.1 and IPA4.1 and want to fix any mistakes made when the setup was first built in RHEL6.2 > > "Also be aware of the DNA config" > > oh joy....all these hidden land mines to discover. > > :( > > I suppose the next Q is what queries do I have to run in order to collect all the relevant [mis-]config to compare against the ideal and then plan to fix these, and what is the ideal? You can check "man ipa-replica-manage" for more practical information about DNA range updates and to see the commands that can be used to show or modify the DNA ranges with the servers in case something goes wrong. I do not think this blocks the migration in any way, you should just be aware and know where to look in case user-add starts to fail because of depleted range. Martin From mkosek at redhat.com Tue Sep 8 14:39:51 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 8 Sep 2015 16:39:51 +0200 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: <55EEEF6C.1070006@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> <55E999C2.3060103@redhat.com> <55EEEF6C.1070006@redhat.com> Message-ID: <55EEF337.3080906@redhat.com> On 09/08/2015 04:23 PM, Martin Kosek wrote: > On 09/06/2015 10:45 PM, Steven Jones wrote: >> >> Martin Kosek wrote: >>> On 09/04/2015 12:00 AM, Rob Crittenden wrote: >>>> Steven Jones wrote: >>>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>>>> try and remove the last one the master? it says, >>>>> >>>>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx >>>>> Directory Manager password: >>>>> >>>>> Deleting a master is irreversible. >>>>> To reconnect to the remote master you will need to prepare a new replica file >>>>> and re-install. >>>>> Continue to delete? [no]: yes >>>>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and >>>>> vuwunicoipam003.xxxxxxxxx >>>>> You will need to reconfigure your replication topology to delete this server. >>>>> [root at vuwunicoipam001 thing]# ipa-replica-manage list >>>>> Directory Manager password: >>>>> >>>>> vuwunicoipam002.xxxxxxxx master >>>>> vuwunicoipam003.xxxxxxxx master >>>>> vuwunicoipam001.xxxxxxxx master >>>>> [root at vuwunicoipam001 thing]#" >>>>> >>>>> So how do I re-configure? >>>> >>>> Every server is a master. The only differences may be the services running (CA >>>> and/or DNS) and only one generates the CRL and manages certificate renewal. >>>> Otherwise they are all equal masters. >>>> >>>> This doesn't show the topology. Were I to guess it looks like: >>>> >>>> 001 >>>> / \ >>>> 002 003 >>>> >>>> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 >>>> >> >> Did that, >> >> Topology is now, >> >> 002 >> / \ >> 001 - 003 >> >> We lost 001 so had to promote 002 to the "master". >> >> I dont recall nor can find anything in the docs on this process, maybe update you docs to reflect this essential step? >> >>> However, in this case this should not be a problem AFAIK, given that >>> ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: >>> >>> https://fedorahosted.org/freeipa/ticket/3321 >> >> RHEL6.7, IPA 3.0. >> >> I am trying to upgrade to RHEL7.1 and IPA4.1 and want to fix any mistakes made when the setup was first built in RHEL6.2 BTW, this depends on what type of mistakes you did. Not all can be easily fixed (like wrong realm for example). But overall, there is a decent HOWTO on the migration on these pages: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> "Also be aware of the DNA config" >> >> oh joy....all these hidden land mines to discover. >> >> :( >> >> I suppose the next Q is what queries do I have to run in order to collect all the relevant [mis-]config to compare against the ideal and then plan to fix these, and what is the ideal? > > You can check "man ipa-replica-manage" for more practical information about DNA > range updates and to see the commands that can be used to show or modify the > DNA ranges with the servers in case something goes wrong. > > I do not think this blocks the migration in any way, you should just be aware > and know where to look in case user-add starts to fail because of depleted range. > > Martin > From rcritten at redhat.com Tue Sep 8 15:20:05 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Sep 2015 11:20:05 -0400 Subject: [Freeipa-users] Ugrading IPA to dogtag? CA? In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> , <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com> , <55E99C05.3020706@redhat.com> Message-ID: <55EEFCA5.6040007@redhat.com> Steven Jones wrote: > RHEL6.7 and IPA 3.0 > > "self-signed" not understanding such terminology terribly well, I am not sure at all. > > What command will tell me what I have? Do you have a dogtag CA instance? ipactl status rob > > regards > > Steven > > ________________________________________ > From: Rob Crittenden > Sent: Saturday, 5 September 2015 1:26 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? > > Steven Jones wrote: >> It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? > > I think it depends heavily on what version of IPA you are running and > what you mean by self-signed. > > rob > > From rcritten at redhat.com Tue Sep 8 15:32:04 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Sep 2015 11:32:04 -0400 Subject: [Freeipa-users] Antwort: Re: Antwort: Re: Faulty LDAP record In-Reply-To: References: <55E9B449.7060405@redhat.com> Message-ID: <55EEFF74.2070101@redhat.com> Christoph Kaminski wrote: > Youenn PIOLET schrieb am 07.09.2015 14:13:35: > > > Von: Youenn PIOLET > > An: Christoph Kaminski > > Kopie: Ludwig Krispenz , freeipa-users at redhat.com > > Datum: 07.09.2015 14:16 > > Betreff: Re: [Freeipa-users] Antwort: Re: Faulty LDAP record > > > > Hi, > > Did you try to restart the directory server? > > I had a similar experience in compat tree, maybe your problem is > > some kind of "ghost" entry that will not reappear after a restart. > > > > Regards, > > > > yep tried it already... I'd double-check the dn using ldapsearch. rob From morgan at marodin.it Tue Sep 8 15:55:47 2015 From: morgan at marodin.it (Morgan Marodin) Date: Tue, 8 Sep 2015 17:55:47 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150908132119.GV22106@redhat.com> References: <20150908132119.GV22106@redhat.com> Message-ID: Also doing trust manually (as explained here http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail in the same mode: # ipa trust-add --type=ad MYDOMAIN.COM --trust-secret Shared secret for the trust: ipa: ERROR: Cannot find specified domain or server name ==> /var/log/httpd/access_log <== 192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json HTTP/1.1" 200 185 ==> /var/log/httpd/error_log <== [Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO: [jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'MYDOMAIN.COM', trust_type=u'ad', trust_secret=u'********', all=False, raw=False, version=u'2.112'): NotFound ==> /var/log/samba/log.winbindd-idmap <== [2015/09/08 17:50:22.178007, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.178984, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.179771, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.179863, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * :( Morgan 2015-09-08 15:21 GMT+02:00 Alexander Bokovoy : > On Tue, 08 Sep 2015, Morgan Marodin wrote: > >> I've solved this error, reading this forum: >> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html >> >> But now when I try to trust to my Active Directory I see these errors: >> -------------------- >> # ipa trust-add --type=ad mydomain.com --admin Administrator --password >> Active Directory domain administrator's password: >> ipa: ERROR: CIFS server communication error: code "-1073741258", >> message "The connection was refused" (both may be "None") >> >> Here my logs: >> -------------------- >> ==> /var/log/httpd/error_log <== >> Failed to connect host 192.168.0.65 on port 135 - >> NT_STATUS_CONNECTION_REFUSED >> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 >> - >> NT_STATUS_CONNECTION_REFUSED. >> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: >> [jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', >> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', >> all=False, raw=False, version=u'2.112'): RemoteRetrieveError >> >> ==> /var/log/samba/log.192.168.0.65 <== >> [2015/09/08 15:01:50.833128, 1] >> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> Username IPA\admin is invalid on this system >> > This is your problem. Does your system have SSSD actually running? > > > List of ports that smbd should be listening on on IPA master: > # netstat -nltup|grep smbd > tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN > 12420/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* > LISTEN 12417/smbd tcp 0 0 0.0.0.0:445 > 0.0.0.0:* LISTEN 12417/smbd tcp 0 0 > 0.0.0.0:1024 0.0.0.0:* LISTEN 12422/smbd tcp6 > 0 0 :::135 :::* LISTEN 12420/smbd > tcp6 0 0 :::139 :::* LISTEN > 12417/smbd tcp6 0 0 :::445 :::* > LISTEN 12417/smbd tcp6 0 0 :::1024 > :::* LISTEN 12422/smbd > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Sep 8 16:39:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 8 Sep 2015 19:39:01 +0300 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: References: <20150908132119.GV22106@redhat.com> Message-ID: <20150908163901.GW22106@redhat.com> On Tue, 08 Sep 2015, Morgan Marodin wrote: >Also doing trust manually (as explained here >http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail >in the same mode: ># ipa trust-add --type=ad MYDOMAIN.COM --trust-secret >Shared secret for the trust: >ipa: ERROR: Cannot find specified domain or server name > >==> /var/log/httpd/access_log <== >192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json >HTTP/1.1" 200 185 > >==> /var/log/httpd/error_log <== >[Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO: >[jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'MYDOMAIN.COM', >trust_type=u'ad', trust_secret=u'********', all=False, raw=False, >version=u'2.112'): NotFound Enable debugging as instructed on the page you refer above, and provide me with the output as the pages tells you. -- / Alexander Bokovoy From arequipeno at gmail.com Tue Sep 8 18:13:34 2015 From: arequipeno at gmail.com (Ian Pilcher) Date: Tue, 8 Sep 2015 13:13:34 -0500 Subject: [Freeipa-users] Vector/hi-res logo Message-ID: Now that I'm actually using IPA authentication for a few services within my house, I'm going to set up a simple "start page" with a few links, including a link to IPA web UI for password changes. I'd like to use the FreeIPA logo, but I've only been able to find very small and/or fuzzy versions. Does anyone know where I can find a high-resolution or vector version of the logo? Thanks! -- ======================================================================== Ian Pilcher arequipeno at gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== From Steven.Jones at vuw.ac.nz Tue Sep 8 20:36:43 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 8 Sep 2015 20:36:43 +0000 Subject: [Freeipa-users] Ugrading IPA to dogtag? CA? In-Reply-To: <55EEFCA5.6040007@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> ,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk>, <1427931369.19641.6.camel@willson.usersys.redhat.com> , <55E99C05.3020706@redhat.com> , <55EEFCA5.6040007@redhat.com> Message-ID: [root at vuwunicoipam002 jonesst1]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING [root at vuwunicoipam002 jonesst1]# regards Steven ________________________________________ From: Rob Crittenden Sent: Wednesday, 9 September 2015 3:20 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? Steven Jones wrote: > RHEL6.7 and IPA 3.0 > > "self-signed" not understanding such terminology terribly well, I am not sure at all. > > What command will tell me what I have? Do you have a dogtag CA instance? ipactl status rob > > regards > > Steven > > ________________________________________ > From: Rob Crittenden > Sent: Saturday, 5 September 2015 1:26 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? > > Steven Jones wrote: >> It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? > > I think it depends heavily on what version of IPA you are running and > what you mean by self-signed. > > rob > > From Steven.Jones at vuw.ac.nz Tue Sep 8 20:43:23 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 8 Sep 2015 20:43:23 +0000 Subject: [Freeipa-users] Replacing the "master" In-Reply-To: <55EEF337.3080906@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> <55E999C2.3060103@redhat.com> <55EEEF6C.1070006@redhat.com>,<55EEF337.3080906@redhat.com> Message-ID: as below, regards Steven 8><---- But overall, there is a decent HOWTO on the migration on these pages: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html 8><---- fraid not, tried it. ============== [root at vuwunicoipam004 thing]# ipa-replica-install --setup-ca --ip-address=10.100.32.53 --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.xxxxxxxxx.gpg Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Directory Manager (existing master) password: CA cannot be installed in CA-less setup. [root at vuwunicoipam004 thing]# ====== From john at keates.nl Tue Sep 8 22:59:27 2015 From: john at keates.nl (John Keates) Date: Wed, 9 Sep 2015 00:59:27 +0200 Subject: [Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success Message-ID: <848E0F24-4219-4D27-B318-BDC537D752E4@keates.nl> So I was having a DNS mess the other day and decided to clean it up. Before, I was running Unbound on pfSense which then had a domain override to the IPA box. It would forward all queries and IPA-wise all was well. Problem was that the domain was also used for a bunch of other things, like the outside world, and DHCP leases, because I want to be able to FQDN my machines and VM?s. At first, I thought I could somehow make a weird multi-master setup, or have Unbound rewrite queries or selectively forward or ignore the authoritative status of DNS servers, but that?s a rather nasty hackish way to attempt to fix things, so I went for the option to have DHCPd feed it?s leases and updates to BIND, and make Unbound the 2nd DNS server in case of an IPA meltdown. This turned out to be not-so-easy as you can?t use GSSAPI on the pfSense box and the IPA interface doesn?t allow you to create keys just like that. Solution? Manual edits! Now, I?m not sure if they will be preserved, but since I was using SaltStack to manage pretty much everything config-wise, I just make sure it keeps my settings around. Here is how to configure things: BIND-side: 1. Open /etc/named.conf in a root editor 2. Insert a key like this: key "dhcp-key" { algorithm hmac-md5; secret ?base64_string_here="; }; Where the string ?dhcp-key? can be anything, but you should remember what you put in there. The Secret is a base64 string, if you are slightly clueless about that, use: echo ?yoursecrethere? | base64 and you will get your base64 string. Stick it in between the quotes and you?re good. 3. Next, log in to the IPA UI and go to the Zone you?d like to have DHCP dynamically push to. 4. Click settings and turn on ?Dynamic update? if it?s not on already 5. Add an update policy, in this format: grant dhcp-key wildcard * ANY; This is rather insecure as you give anything that authenticates using the key called ?dhcp-key? full update rights for all types on that zone. So if you want to restrict it, do so as you please. I believe it at least wants A and AAAA records and probably TXT. 6. Click the update button and you are all set on this end. Note: if you want to have reverse lookups as well, you have to repeat step 5 for the reverse zone too! pfSense-side: 1. In pfSense, go to the DHCP server page 2. Enable "Enable registration of DHCP client names in DNS.? 3. Enter the domain name of the zone you configured in IPA for dynamic updates 4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key in this example) and the base64 string you generated 5. Press save and you?re good! A few extra?s: - You could add IPA as an NTP server here as well - You should add the IPA server as the 1st DNS server - You can add pfSense as the 2nd DNS server if you like Please remember that at this point no DNS-related stuff on pfSense is used anymore as all clients will talk to IPA for their DNS needs from now on. If all you need is the one domain name, for example, if you use a unique domain just for internal IPA use, you?re better off using the domain override. I hope this helps someone, and might work as a basis for more robust and secure configuration, as this is something I just came up with today in a test environment. John From abokovoy at redhat.com Wed Sep 9 05:09:31 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Sep 2015 08:09:31 +0300 Subject: [Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success In-Reply-To: <848E0F24-4219-4D27-B318-BDC537D752E4@keates.nl> References: <848E0F24-4219-4D27-B318-BDC537D752E4@keates.nl> Message-ID: <20150909050931.GA22106@redhat.com> On Wed, 09 Sep 2015, John Keates wrote: >So I was having a DNS mess the other day and decided to clean it up. >Before, I was running Unbound on pfSense which then had a domain >override to the IPA box. It would forward all queries and IPA-wise all >was well. Problem was that the domain was also used for a bunch of >other things, like the outside world, and DHCP leases, because I want >to be able to FQDN my machines and VM?s. > >At first, I thought I could somehow make a weird multi-master setup, or >have Unbound rewrite queries or selectively forward or ignore the >authoritative status of DNS servers, but that?s a rather nasty hackish >way to attempt to fix things, so I went for the option to have DHCPd >feed it?s leases and updates to BIND, and make Unbound the 2nd DNS >server in case of an IPA meltdown. > >This turned out to be not-so-easy as you can?t use GSSAPI on the >pfSense box and the IPA interface doesn?t allow you to create keys just >like that. Solution? Manual edits! Now, I?m not sure if they will be >preserved, but since I was using SaltStack to manage pretty much >everything config-wise, I just make sure it keeps my settings around. > >Here is how to configure things: > >BIND-side: > >1. Open /etc/named.conf in a root editor >2. Insert a key like this: > >key "dhcp-key" { > algorithm hmac-md5; > secret ?base64_string_here="; >}; > >Where the string ?dhcp-key? can be anything, but you should remember >what you put in there. The Secret is a base64 string, if you are >slightly clueless about that, use: echo ?yoursecrethere? | base64 >and you will get your base64 string. Stick it in between the quotes and >you?re good. > >3. Next, log in to the IPA UI and go to the Zone you?d like to have DHCP dynamically push to. >4. Click settings and turn on ?Dynamic update? if it?s not on already >5. Add an update policy, in this format: > >grant dhcp-key wildcard * ANY; > >This is rather insecure as you give anything that authenticates using >the key called ?dhcp-key? full update rights for all types on that >zone. So if you want to restrict it, do so as you please. I believe it >at least wants A and AAAA records and probably TXT. > >6. Click the update button and you are all set on this end. Note: if >you want to have reverse lookups as well, you have to repeat step 5 for >the reverse zone too! > >pfSense-side: > >1. In pfSense, go to the DHCP server page >2. Enable "Enable registration of DHCP client names in DNS.? >3. Enter the domain name of the zone you configured in IPA for dynamic updates >4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key in this example) and the base64 string you generated >5. Press save and you?re good! > >A few extra?s: > >- You could add IPA as an NTP server here as well >- You should add the IPA server as the 1st DNS server >- You can add pfSense as the 2nd DNS server if you like > >Please remember that at this point no DNS-related stuff on pfSense is >used anymore as all clients will talk to IPA for their DNS needs from >now on. If all you need is the one domain name, for example, if you >use a unique domain just for internal IPA use, you?re better off using >the domain override. > >I hope this helps someone, and might work as a basis for more robust >and secure configuration, as this is something I just came up with >today in a test environment. This looks reasonable. You may want to put your key definition into something like /etc/named/my-dhcp-keys.conf and include it from there via 'include' statements but I think we don't upgrade named.conf after it was originally created. John, could you please add this to FreeIPA wiki? -- / Alexander Bokovoy From morgan at marodin.it Wed Sep 9 07:01:51 2015 From: morgan at marodin.it (Morgan Marodin) Date: Wed, 9 Sep 2015 09:01:51 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150908163901.GW22106@redhat.com> References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> Message-ID: Hi Alexander. Ok, after enabling debugging I have these logs: ------------------------------------------------------------------- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 s4_tevent: Ending timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7f8a3c49d850 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f8a3c042430 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f8a3c042430 s4_tevent: Destroying timer event 0x7f8a3c49d850 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7f8a3c042170 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 ==> /var/log/samba/log.smbd <== [2015/09/09 08:45:04.867837, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:04.868013, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2:/var/lib/samba/serverid.tdb 3: [2015/09/09 08:45:04.868084, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:04.868196, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a65820 [2015/09/09 08:45:04.868299, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:04.868355, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:04.868402, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:04.868480, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 663430 SO_RCVBUF = 262222 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 [2015/09/09 08:45:04.868852, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 663430 SO_RCVBUF = 262222 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:04.869349, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2661(lp_file_list_changed) lp_file_list_changed() [2015/09/09 08:45:04.869486, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access) Allowed connection from 192.168.0.65 (192.168.0.65) [2015/09/09 08:45:04.869544, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:3540(smbd_process) Connection allowed from ipv4:192.168.0.65:46193 to ipv4:192.168.0.65:445 [2015/09/09 08:45:04.869634, 3, pid=11196, effective(0, 0), real(0, 0), class=locking] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2015/09/09 08:45:04.869686, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 774 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869733, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 776 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869778, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 778 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869822, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 770 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869894, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 787 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869940, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 779 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.869989, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 15 - private_data=(nil) [2015/09/09 08:45:04.870036, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:308(messaging_register) Overriding messaging pointer for type 15 - private_data=(nil) [2015/09/09 08:45:04.870081, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:340(messaging_deregister) Deregistering messaging pointer for type 16 - private_data=(nil) [2015/09/09 08:45:04.870126, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 16 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.870214, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:340(messaging_deregister) Deregistering messaging pointer for type 33 - private_data=0x7f7118a55ed0 [2015/09/09 08:45:04.870264, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 33 - private_data=0x7f7118a66100 [2015/09/09 08:45:04.870309, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:340(messaging_deregister) Deregistering messaging pointer for type 1 - private_data=(nil) [2015/09/09 08:45:04.870354, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 1 - private_data=(nil) [2015/09/09 08:45:04.870417, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Added timed event "smbd_idle_event_handler": 0x7f7118a4b7d0 [2015/09/09 08:45:04.870464, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/events.c:483(event_add_idle) event_add_idle: idle_evt(keepalive) 0x7f7118a4b7d0 [2015/09/09 08:45:04.870513, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Added timed event "smbd_idle_event_handler": 0x7f7118a69420 [2015/09/09 08:45:04.870557, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/events.c:483(event_add_idle) event_add_idle: idle_evt(deadtime) 0x7f7118a69420 [2015/09/09 08:45:04.870608, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Added timed event "smbd_idle_event_handler": 0x7f7118a78a20 [2015/09/09 08:45:04.870653, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/events.c:483(event_add_idle) event_add_idle: idle_evt(housekeeping) 0x7f7118a78a20 [2015/09/09 08:45:04.870754, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:337(read_smb_length_return_keepalive) got smb length of 190 [2015/09/09 08:45:04.870821, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1800(process_smb) got message type 0x0 of len 0xbe [2015/09/09 08:45:04.870871, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb) Transaction 0 of length 194 (0 toread) [2015/09/09 08:45:04.870919, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:04.870949, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=190 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51267 smb_tid=0 smb_pid=65534 smb_uid=0 smb_mid=0 smt_wct=0 smb_bcc=155 [2015/09/09 08:45:04.871202, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [0010] 52 41 4D 20 31 2E 30 00 02 4D 49 43 52 4F 53 4F RAM 1.0. .MICROSO [0020] 46 54 20 4E 45 54 57 4F 52 4B 53 20 31 2E 30 33 FT NETWO RKS 1.03 [0030] 00 02 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 ..MICROS OFT NETW [0040] 4F 52 4B 53 20 33 2E 30 00 02 4C 41 4E 4D 41 4E ORKS 3.0 ..LANMAN [0050] 31 2E 30 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 1.0..LM1 .2X002.. [0060] 44 4F 53 20 4C 41 4E 4D 41 4E 32 2E 31 00 02 4C DOS LANM AN2.1..L [0070] 41 4E 4D 41 4E 32 2E 31 00 02 53 61 6D 62 61 00 ANMAN2.1 ..Samba. [0080] 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 02 .NT LANM AN 1.0.. [0090] 4E 54 20 4C 4D 20 30 2E 31 32 00 NT LM 0. 12. [2015/09/09 08:45:04.871619, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message) switch message SMBnegprot (pid 11196) conn 0x0 [2015/09/09 08:45:04.871811, 0, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1361(smb_dump) created /tmp/SMBnegprot.8.req len 194 [2015/09/09 08:45:04.871951, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.872011, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.872065, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.872178, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:04.873208, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2015/09/09 08:45:04.873291, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [MICROSOFT NETWORKS 1.03] [2015/09/09 08:45:04.873342, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [MICROSOFT NETWORKS 3.0] [2015/09/09 08:45:04.873390, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [LANMAN1.0] [2015/09/09 08:45:04.873439, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [LM1.2X002] [2015/09/09 08:45:04.873487, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [DOS LANMAN2.1] [2015/09/09 08:45:04.873535, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [LANMAN2.1] [2015/09/09 08:45:04.873582, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [Samba] [2015/09/09 08:45:04.873636, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [NT LANMAN 1.0] [2015/09/09 08:45:04.873705, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:564(reply_negprot) Requested protocol [NT LM 0.12] [2015/09/09 08:45:04.873758, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:1288(set_remote_arch) set_remote_arch: Client arch is 'Samba' [2015/09/09 08:45:04.873831, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2661(lp_file_list_changed) lp_file_list_changed() [2015/09/09 08:45:04.873886, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:04.873933, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2:/var/lib/samba/serverid.tdb 3: [2015/09/09 08:45:04.873985, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:04.874049, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a77350 [2015/09/09 08:45:04.874108, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:04.874187, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:04.874246, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:04.874323, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2661(lp_file_list_changed) lp_file_list_changed() [2015/09/09 08:45:04.874414, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a74680 [2015/09/09 08:45:04.874470, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a74680 [2015/09/09 08:45:04.874522, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 1536 - private_data=0x7f7118a777e0 [2015/09/09 08:45:04.874623, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:469(make_auth_context_subsystem) Making default auth method list for DC [2015/09/09 08:45:04.874690, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend sam [2015/09/09 08:45:04.874743, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'sam' [2015/09/09 08:45:04.874788, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend sam_ignoredomain [2015/09/09 08:45:04.874835, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'sam_ignoredomain' [2015/09/09 08:45:04.874882, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend winbind [2015/09/09 08:45:04.874926, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'winbind' [2015/09/09 08:45:04.874970, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend trustdomain [2015/09/09 08:45:04.875014, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'trustdomain' [2015/09/09 08:45:04.875057, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend ntdomain [2015/09/09 08:45:04.875101, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'ntdomain' [2015/09/09 08:45:04.875173, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:48(smb_register_auth) Attempting to register auth backend guest [2015/09/09 08:45:04.875236, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:60(smb_register_auth) Successfully added auth method 'guest' [2015/09/09 08:45:04.875282, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2015/09/09 08:45:04.875328, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method guest has a valid init [2015/09/09 08:45:04.875392, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2015/09/09 08:45:04.875440, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method sam has a valid init [2015/09/09 08:45:04.875485, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:trustdomain [2015/09/09 08:45:04.875530, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match trustdomain [2015/09/09 08:45:04.875578, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method trustdomain has a valid init [2015/09/09 08:45:04.875621, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method winbind has a valid init [2015/09/09 08:45:04.875900, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/09/09 08:45:04.875963, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/09/09 08:45:04.876012, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/09/09 08:45:04.876073, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'sasl-DIGEST-MD5' registered [2015/09/09 08:45:04.876125, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'spnego' registered [2015/09/09 08:45:04.876218, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'schannel' registered [2015/09/09 08:45:04.876272, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2015/09/09 08:45:04.876324, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:871(gensec_register) GENSEC backend 'ntlmssp' registered [2015/09/09 08:45:04.876440, 5, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:650(gensec_start_mech) Starting GENSEC mechanism spnego [2015/09/09 08:45:04.876525, 5, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:650(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2015/09/09 08:45:04.876963, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1266(smb_krb5_open_keytab) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2015/09/09 08:45:04.877697, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:385(reply_nt1) using SPNEGO [2015/09/09 08:45:04.877770, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:672(reply_negprot) Selected protocol NT LANMAN 1.0 [2015/09/09 08:45:04.877816, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:679(reply_negprot) negprot index=8 [2015/09/09 08:45:04.877863, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:04.877892, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=181 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51267 smb_tid=0 smb_pid=65534 smb_uid=0 smb_mid=0 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]=48128 (0xBC00) smb_vwv[ 8]= 43 (0x2B) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]=33011 (0x80F3) smb_vwv[11]=55936 (0xDA80) smb_vwv[12]=15947 (0x3E4B) smb_vwv[13]=51983 (0xCB0F) smb_vwv[14]=53482 (0xD0EA) smb_vwv[15]=34817 (0x8801) smb_vwv[16]= 255 (0xFF) smb_bcc=112 [2015/09/09 08:45:04.881937, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 6D 6C 76 69 70 61 30 31 00 00 00 00 00 00 00 00 srv01 ........ [0010] 60 5E 06 06 2B 06 01 05 05 02 A0 54 30 52 A0 24 `^..+... ...T0R.$ [0020] 30 22 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0"..*.H. .......* [0030] 86 48 86 F7 12 01 02 02 06 0A 2B 06 01 04 01 82 .H...... ..+..... [0040] 37 02 02 0A A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 7....*0( .&.$not_ [0050] 64 65 66 69 6E 65 64 5F 69 6E 5F 52 46 43 34 31 defined_ in_RFC41 [0060] 37 38 40 70 6C 65 61 73 65 5F 69 67 6E 6F 72 65 78 at pleas e_ignore ==> /var/log/httpd/error_log <== s4_tevent: Destroying timer event 0x7f8a3c042170 "tevent_req_timedout" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for admin at IPA.MYDOMAIN.COM will expire in 22605 secs s4_tevent: Added timed event "tevent_req_timedout": 0x7f8a3c0e51e0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:04.895647, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:337(read_smb_length_return_keepalive) got smb length of 1638 [2015/09/09 08:45:04.895749, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1800(process_smb) got message type 0x0 of len 0x666 [2015/09/09 08:45:04.895805, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb) Transaction 1 of length 1642 (0 toread) [2015/09/09 08:45:04.895853, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:04.895882, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=1638 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51203 smb_tid=0 smb_pid=7861 smb_uid=0 smb_mid=1 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]=12288 (0x3000) smb_vwv[ 3]= 50 (0x32) smb_vwv[ 4]= 1 (0x1) smb_vwv[ 5]=11196 (0x2BBC) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 1522 (0x5F2) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]=62461 (0xF3FD) smb_vwv[11]=32896 (0x8080) smb_bcc=1579 [2015/09/09 08:45:04.896375, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 60 82 05 EE 06 06 2B 06 01 05 05 02 A0 82 05 E2 `.....+. ........ [0010] 30 82 05 DE A0 0D 30 0B 06 09 2A 86 48 82 F7 12 0.....0. ..*.H... [0020] 01 02 02 A2 82 05 CB 04 82 05 C7 60 82 05 C3 06 ........ ...`.... [0030] 09 2A 86 48 86 F7 12 01 02 02 01 00 6E 82 05 B2 .*.H.... ....n... [0040] 30 82 05 AE A0 03 02 01 05 A1 03 02 01 0E A2 07 0....... ........ [0050] 03 05 00 20 00 00 00 A3 82 04 BF 61 82 04 BB 30 ... .... ...a...0 [0060] 82 04 B7 A0 03 02 01 05 A1 14 1B 12 49 50 41 2E ........ ....IPA. [0070] 50 45 44 4F 4E 47 52 4F 55 50 2E 43 4F 4D A2 2F MYDOMAIN .COM./ [0080] 30 2D A0 03 02 01 01 A1 26 30 24 1B 04 63 69 66 0-...... &0$..cif [0090] 73 1B 1C 6D 6C 76 2D 69 70 61 30 31 2E 69 70 61 s..srv01 .ipa [00A0] 2E 70 65 64 6F 6E 67 72 6F 75 70 2E 63 6F 6D A3 .mydomai n.com. [00B0] 82 04 67 30 82 04 63 A0 03 02 01 12 A1 03 02 01 ..g0..c. ........ [00C0] 02 A2 82 04 55 04 82 04 51 80 3E 70 46 29 67 E3 ....U... Q.>pF)g. [00D0] 27 7F BC D5 F3 61 B8 09 58 4B 1A FF 0F 4E 6D 32 '....a.. XK...Nm2 [00E0] 75 54 4E 46 7E AE B7 AB 5B 70 6E 1A 4A D4 44 01 uTNF~... [pn.J.D. [00F0] 90 3A F5 2B 75 DB 5A 35 26 80 D6 DD 18 A8 A2 05 .:.+u.Z5 &....... [0100] 95 95 A4 BB F5 9C 92 50 3E 67 5B 5B 65 C2 13 E7 .......P >g[[e... [0110] 86 C7 33 81 73 29 7D DF B8 3A 76 25 26 1B 90 CE ..3.s)}. .:v%&... [0120] CA 69 EB 2B 95 5D 08 D0 AC 6B 6C 59 43 DE 42 01 .i.+.].. .klYC.B. [0130] 5C 17 01 1D 1B D8 C8 41 09 54 FF 58 BB 76 0D BD \......A .T.X.v.. [0140] 7D 69 7C C3 25 11 F7 1D 2B 11 D1 7C BD F2 41 77 }i|.%... +..|..Aw [0150] AD 66 90 9A 5D 3C 6E B0 4B 6C 37 78 C7 22 5B 6F .f..]q [04D0] E0 03 D7 36 FF FE 8E 85 D8 8F B0 D9 D3 6C 71 08 ...6.... .....lq. [04E0] 73 65 35 12 B0 F2 95 E6 BF 58 41 99 A0 94 12 E0 se5..... .XA..... [04F0] FE 52 A2 A0 B6 77 74 04 5C 73 F8 EE 5F 30 0B 5D .R...wt. \s.._0.] [0500] C2 A9 F4 15 62 6E 66 6A EA A7 41 8D 99 50 49 B9 ....bnfj ..A..PI. [0510] 8D 9E 5F 15 18 FD DD B3 49 1D A4 81 D5 30 81 D2 .._..... I....0.. [0520] A0 03 02 01 12 A2 81 CA 04 81 C7 57 C7 EC 94 42 ........ ...W...B [0530] 6F 98 F4 5C 6C E0 85 CA 8C 9B 5E 81 50 AB 24 C1 o..\l... ..^.P.$. [0540] 21 3B 78 2C D0 99 84 31 38 33 33 85 55 33 B9 15 !;x,...1 833.U3.. [0550] 17 9F 3B 09 B6 73 F2 61 D8 6F F6 B7 C9 CF C8 7A ..;..s.a .o.....z [0560] 7A 7D 8F C5 12 6E 60 D3 8C 0B F5 06 0D 88 0D C6 z}...n`. ........ [0570] 64 6A CD A3 BA 84 5E 5E 02 85 5E CD F4 40 CA C5 dj....^^ ..^.. at .. [0580] 2E 58 0D 84 99 58 53 F4 E4 35 2C 9D 7D 86 8B 62 .X...XS. .5,.}..b [0590] 13 B5 1C DA 81 29 F7 30 1C A9 29 28 84 6E 2B 64 .....).0 ..)(.n+d [05A0] 21 DF F6 84 6B 3F 7B A7 F8 A1 67 D0 98 72 2F 19 !...k?{. ..g..r/. [05B0] D5 7C 3F 96 82 24 C6 02 F8 E7 83 0E 6F 8B CC D5 .|?..$.. ....o... [05C0] 6B 3F B6 8A 26 01 F7 9B D2 94 C1 CE 99 6E 00 CF k?..&... .....n.. [05D0] 44 A2 15 45 C3 4A 3C 47 36 CE AB 60 41 92 BE 8B D..E.J 3: [2015/09/09 08:45:04.900881, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 85785D5B [2015/09/09 08:45:04.900939, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a65f10 [2015/09/09 08:45:04.901389, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:854(smbXsrv_session_global_store) [2015/09/09 08:45:04.901444, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:856(smbXsrv_session_global_store) smbXsrv_session_global_store: key '85785D5B' stored [2015/09/09 08:45:04.901496, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_session_globalU(case 0) info0 : * info0: struct smbXsrv_session_global0 db_rec : * session_global_id : 0x85785d5b (2239257947) session_wire_id : 0x0000000000004d9d (19869) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0000 (0) signing_required : 0x00 (0) encryption_required : 0x00 (0) num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) local_address : 'ipv4:192.168.0.65:445' remote_address : 'ipv4: 192.168.0.65:46193' remote_name : '192.168.0.65' auth_session_info_seqnum : 0x00000000 (0) [2015/09/09 08:45:04.902110, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 85785D5B [2015/09/09 08:45:04.902204, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_session_global.tdb [2015/09/09 08:45:04.902257, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:04.902304, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:1216(smbXsrv_session_create) [2015/09/09 08:45:04.902331, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:1224(smbXsrv_session_create) smbXsrv_session_create: global_id (0x85785d5b) stored [2015/09/09 08:45:04.902374, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL connection : * local_id : 0x00004d9d (19869) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x85785d5b (2239257947) session_wire_id : 0x0000000000004d9d (19869) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0000 (0) signing_required : 0x00 (0) encryption_required : 0x00 (0) num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) local_address : 'ipv4: 192.168.0.65:445' remote_address : 'ipv4: 192.168.0.65:46193' remote_name : '192.168.0.65' auth_session_info_seqnum : 0x00000000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Wed Sep 9 08:45:05 AM 2015 CEST nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) gensec : NULL compat : NULL tcon_table : NULL [2015/09/09 08:45:04.903253, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:469(make_auth_context_subsystem) Making default auth method list for DC [2015/09/09 08:45:04.903310, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2015/09/09 08:45:04.903357, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method guest has a valid init [2015/09/09 08:45:04.903402, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2015/09/09 08:45:04.903447, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method sam has a valid init [2015/09/09 08:45:04.903491, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:trustdomain [2015/09/09 08:45:04.903536, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:363(load_auth_module) load_auth_module: Attempting to find an auth method to match trustdomain [2015/09/09 08:45:04.903581, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method trustdomain has a valid init [2015/09/09 08:45:04.903625, 5, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:388(load_auth_module) load_auth_module: auth method winbind has a valid init [2015/09/09 08:45:04.903719, 5, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:650(gensec_start_mech) Starting GENSEC mechanism spnego [2015/09/09 08:45:04.903778, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.903832, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.903898, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.903944, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.903988, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.904116, 5, pid=11196, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:650(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2015/09/09 08:45:04.904458, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1266(smb_krb5_open_keytab) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2015/09/09 08:45:04.923755, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.924284, 3, pid=11196, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: admin [Administrator] [2015/09/09 08:45:04.924389, 10, pid=11196, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:388(kerberos_decode_pac) Successfully validated Kerberos PAC pac_data: struct PAC_DATA num_buffers : 0x00000005 (5) version : 0x00000000 (0) buffers: ARRAY(5) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_INFO (1) _ndr_size : 0x000001b0 (432) info : * info : union PAC_INFO(case 1) logon_info: struct PAC_LOGON_INFO_CTR info : * info: struct PAC_LOGON_INFO info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : NTTIME(0) logoff_time : Thu Jan 1 01:00:00 AM 1970 CET kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Mon Sep 7 12:17:41 PM 2015 CEST allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET account_name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'admin' full_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000200 (512) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key : 00000000000000000000000000000000 logon_server: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'SRV01' logon_domain: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'IPA' domain_sid : * domain_sid : S-1-5-21-2755472311-3010766786-1504281988 LMSessKey: struct netr_LMSessionKey key : 0000000000000000 acct_flags : 0x00000010 (16) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 1: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0) last_successful_logon : NTTIME(0) last_failed_logon : NTTIME(0) failed_logon_count : 0x00000000 (0) reserved : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL res_group_dom_sid : NULL res_groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : NULL _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_NAME (10) _ndr_size : 0x00000014 (20) info : * info : union PAC_INFO(case 10) logon_name: struct PAC_LOGON_NAME logon_time : Tue Sep 8 05:04:44 PM 2015 CEST size : 0x000a (10) account_name : 'admin' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_CONSTRAINED_DELEGATION (11) _ndr_size : 0x00000118 (280) info : * info : union PAC_INFO(case 11) constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR info : * info: struct PAC_CONSTRAINED_DELEGATION proxy_target: struct lsa_String length : 0x0068 (104) size : 0x0068 (104) string : * string : 'HTTP/ srv01.ipa.mydomain.com at IPA.MYDOMAIN.COM' num_transited_services : 0x00000001 (1) transited_services : * transited_services: ARRAY(1) transited_services: struct lsa_String length : 0x0068 (104) size : 0x0068 (104) string : * string : 'cifs/srv01.ipa.mydomain.com at IPA.MYDOMAIN.COM' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_SRV_CHECKSUM (6) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 6) srv_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 [0000] 1C E7 B8 39 58 95 2C 2A 5B 3E B8 3C ...9X.,* [>.< _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_KDC_CHECKSUM (7) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 7) kdc_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 [0000] 39 C4 FE AB DF EF 2B 29 C6 B2 D7 14 9.....+) .... _pad : 0x00000000 (0) [2015/09/09 08:45:04.928393, 3, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [admin at IPA.MYDOMAIN.COM] [2015/09/09 08:45:04.928455, 10, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info) Domain is [IPA] (using PAC) [2015/09/09 08:45:04.928519, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user IPA\admin [2015/09/09 08:45:04.928569, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is ipa\admin [2015/09/09 08:45:04.930336, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [IPA\admin]! [2015/09/09 08:45:04.930628, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/libsmb/samlogon_cache.c:148(netsamlogon_cache_store) netsamlogon_cache_store: SID [S-1-5-21-2755472311-3010766786-1504281988-500] [2015/09/09 08:45:04.930693, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &r: struct netsamlogoncache_entry timestamp : Wed Sep 9 08:45:04 AM 2015 CEST info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : NTTIME(0) logoff_time : Thu Jan 1 01:00:00 AM 1970 CET kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Mon Sep 7 12:17:41 PM 2015 CEST allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET account_name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'admin' full_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000200 (512) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key : 00000000000000000000000000000000 logon_server: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'SRV01' logon_domain: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'IPA' domain_sid : * domain_sid : S-1-5-21-2755472311-3010766786-1504281988 LMSessKey: struct netr_LMSessionKey key : 0000000000000000 acct_flags : 0x00000010 (16) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 1: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0) last_successful_logon : NTTIME(0) last_failed_logon : NTTIME(0) failed_logon_count : 0x00000000 (0) reserved : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL [2015/09/09 08:45:04.932862, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:4842(lp_load_ex) lp_load_ex: refreshing parameters [2015/09/09 08:45:04.932926, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1491(free_param_opts) Freeing parametrics: [2015/09/09 08:45:04.933011, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters doing parameter registry shares = yes [2015/09/09 08:45:04.933182, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2451(process_registry_service) process_registry_service: service name global [2015/09/09 08:45:04.933252, 7, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [global] [2015/09/09 08:45:04.933307, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:846(regdb_open) regdb_open: incrementing refcount (2->3) [2015/09/09 08:45:04.933369, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.933416, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.933464, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [HKLM], new_path => [SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.933508, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKLM] [2015/09/09 08:45:04.933552, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKPT] [2015/09/09 08:45:04.933595, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [HKLM] [2015/09/09 08:45:04.933639, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [SOFTWARE], new_path => [Samba\smbconf\global] [2015/09/09 08:45:04.933682, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SOFTWARE] [2015/09/09 08:45:04.933725, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SYSTEM] [2015/09/09 08:45:04.933768, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [SOFTWARE] [2015/09/09 08:45:04.933812, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [Samba], new_path => [smbconf\global] [2015/09/09 08:45:04.933867, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Microsoft] [2015/09/09 08:45:04.933912, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Samba] [2015/09/09 08:45:04.933955, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [Samba] [2015/09/09 08:45:04.933999, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [smbconf], new_path => [global] [2015/09/09 08:45:04.934042, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [smbconf] [2015/09/09 08:45:04.934085, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [smbconf] [2015/09/09 08:45:04.934129, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [global], new_path => [] [2015/09/09 08:45:04.934209, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Did not find [global] [2015/09/09 08:45:04.934257, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:436(pathtree_find) pathtree_find: Found data_p! [2015/09/09 08:45:04.934301, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2015/09/09 08:45:04.934344, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f7114ef5bc0 for key [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.934397, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1722(regdb_fetch_keys_internal) regdb_fetch_keys: Enter key => [HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.934465, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 4) -> 4 [2015/09/09 08:45:04.934521, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 4) -> 4 [2015/09/09 08:45:04.934574, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1781(regdb_fetch_keys_internal) regdb_fetch_keys: Exit [0] items [2015/09/09 08:45:04.934623, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:883(regdb_close) regdb_close: decrementing refcount (3->2) [2015/09/09 08:45:04.934671, 7, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [global] [2015/09/09 08:45:04.934718, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:846(regdb_open) regdb_open: incrementing refcount (2->3) [2015/09/09 08:45:04.934766, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.934811, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.934855, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [HKLM], new_path => [SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.934899, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKLM] [2015/09/09 08:45:04.934942, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKPT] [2015/09/09 08:45:04.934996, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [HKLM] [2015/09/09 08:45:04.935040, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [SOFTWARE], new_path => [Samba\smbconf\global] [2015/09/09 08:45:04.935084, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SOFTWARE] [2015/09/09 08:45:04.935127, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SYSTEM] [2015/09/09 08:45:04.935209, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [SOFTWARE] [2015/09/09 08:45:04.935257, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [Samba], new_path => [smbconf\global] [2015/09/09 08:45:04.935301, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Microsoft] [2015/09/09 08:45:04.935345, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Samba] [2015/09/09 08:45:04.935389, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [Samba] [2015/09/09 08:45:04.935432, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [smbconf], new_path => [global] [2015/09/09 08:45:04.935476, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [smbconf] [2015/09/09 08:45:04.935521, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [smbconf] [2015/09/09 08:45:04.935565, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [global], new_path => [] [2015/09/09 08:45:04.935609, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Did not find [global] [2015/09/09 08:45:04.935652, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:436(pathtree_find) pathtree_find: Found data_p! [2015/09/09 08:45:04.935695, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2015/09/09 08:45:04.935739, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f7114ef5bc0 for key [\HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.935787, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1722(regdb_fetch_keys_internal) regdb_fetch_keys: Enter key => [HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.935843, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 4) -> 4 [2015/09/09 08:45:04.935898, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 4) -> 4 [2015/09/09 08:45:04.935944, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1781(regdb_fetch_keys_internal) regdb_fetch_keys: Exit [0] items [2015/09/09 08:45:04.935996, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_dispatcher.c:151(fetch_reg_values) fetch_reg_values called for key 'HKLM\SOFTWARE\Samba\smbconf\global' (ops 0x7f7114ef5bc0) [2015/09/09 08:45:04.936043, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1891(regdb_fetch_values_internal) regdb_fetch_values: Looking for values of key [HKLM\SOFTWARE\Samba\smbconf\global] [2015/09/09 08:45:04.936106, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 4) -> 4 [2015/09/09 08:45:04.936194, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 1400) -> 4 [2015/09/09 08:45:04.936253, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1396) -> 26 [2015/09/09 08:45:04.936303, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[0]: name[workgroup] len[8] [2015/09/09 08:45:04.936349, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1370) -> 39 [2015/09/09 08:45:04.936397, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[1]: name[netbios name] len[18] [2015/09/09 08:45:04.936443, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1331) -> 52 [2015/09/09 08:45:04.936490, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[2]: name[realm] len[38] [2015/09/09 08:45:04.936536, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1279) -> 58 [2015/09/09 08:45:04.936583, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[3]: name[kerberos method] len[34] [2015/09/09 08:45:04.936628, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1221) -> 88 [2015/09/09 08:45:04.936675, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[4]: name[dedicated keytab file] len[58] [2015/09/09 08:45:04.936722, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1133) -> 31 [2015/09/09 08:45:04.936769, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[5]: name[create krb5 conf] len[6] [2015/09/09 08:45:04.936814, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1102) -> 27 [2015/09/09 08:45:04.936861, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[6]: name[security] len[10] [2015/09/09 08:45:04.936907, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1075) -> 30 [2015/09/09 08:45:04.936954, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[7]: name[domain master] len[8] [2015/09/09 08:45:04.937000, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1045) -> 30 [2015/09/09 08:45:04.937048, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[8]: name[domain logons] len[8] [2015/09/09 08:45:04.937093, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 1015) -> 35 [2015/09/09 08:45:04.937140, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[9]: name[max log size] len[14] [2015/09/09 08:45:04.937224, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 980) -> 61 [2015/09/09 08:45:04.937284, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[10]: name[log file] len[44] [2015/09/09 08:45:04.937332, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 919) -> 147 [2015/09/09 08:45:04.937380, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[11]: name[passdb backend] len[124] [2015/09/09 08:45:04.937425, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 772) -> 32 [2015/09/09 08:45:04.937471, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[12]: name[disable spoolss] len[8] [2015/09/09 08:45:04.937523, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 740) -> 32 [2015/09/09 08:45:04.937606, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[13]: name[ldapsam:trusted] len[8] [2015/09/09 08:45:04.937675, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 708) -> 25 [2015/09/09 08:45:04.937746, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[14]: name[ldap ssl] len[8] [2015/09/09 08:45:04.937826, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 683) -> 76 [2015/09/09 08:45:04.937882, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[15]: name[ldap suffix] len[56] [2015/09/09 08:45:04.937961, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 607) -> 67 [2015/09/09 08:45:04.938036, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[16]: name[ldap user suffix] len[42] [2015/09/09 08:45:04.938086, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 540) -> 70 [2015/09/09 08:45:04.938134, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[17]: name[ldap group suffix] len[44] [2015/09/09 08:45:04.938222, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 470) -> 78 [2015/09/09 08:45:04.938275, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[18]: name[ldap machine suffix] len[50] [2015/09/09 08:45:04.938322, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 392) -> 46 [2015/09/09 08:45:04.938371, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[19]: name[rpc_server:epmapper] len[18] [2015/09/09 08:45:04.938418, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 346) -> 44 [2015/09/09 08:45:04.938465, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[20]: name[rpc_server:lsarpc] len[18] [2015/09/09 08:45:04.938510, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 302) -> 43 [2015/09/09 08:45:04.938558, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[21]: name[rpc_server:lsass] len[18] [2015/09/09 08:45:04.938617, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 259) -> 43 [2015/09/09 08:45:04.938668, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[22]: name[rpc_server:lsasd] len[18] [2015/09/09 08:45:04.938714, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 216) -> 42 [2015/09/09 08:45:04.938762, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[23]: name[rpc_server:samr] len[18] [2015/09/09 08:45:04.938808, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 174) -> 46 [2015/09/09 08:45:04.938857, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[24]: name[rpc_server:netlogon] len[18] [2015/09/09 08:45:04.938903, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 128) -> 33 [2015/09/09 08:45:04.938952, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[25]: name[rpc_server:tcpip] len[8] [2015/09/09 08:45:04.938997, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 95) -> 34 [2015/09/09 08:45:04.939234, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[26]: name[rpc_daemon:epmd] len[10] [2015/09/09 08:45:04.939360, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 61) -> 35 [2015/09/09 08:45:04.939454, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[27]: name[rpc_daemon:lsasd] len[10] [2015/09/09 08:45:04.939535, 18, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fdB, 26) -> 26 [2015/09/09 08:45:04.939615, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1836(regdb_unpack_values) regdb_unpack_values: value[28]: name[log level] len[8] [2015/09/09 08:45:04.940309, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:883(regdb_close) regdb_close: decrementing refcount (3->2) [2015/09/09 08:45:04.940387, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:3568(do_section) Processing section "[global]" doing parameter workgroup = IPA doing parameter netbios name = SRV01 doing parameter realm = IPA.MYDOMAIN.COM doing parameter kerberos method = dedicated keytab doing parameter dedicated keytab file = FILE:/etc/samba/samba.keytab doing parameter create krb5 conf = no doing parameter security = user doing parameter domain master = yes doing parameter domain logons = yes doing parameter max log size = 100000 doing parameter log file = /var/log/samba/log.%m doing parameter passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN-COM.socket doing parameter disable spoolss = yes doing parameter ldapsam:trusted = yes doing parameter ldap ssl = off doing parameter ldap suffix = dc=ipa,dc=mydomain,dc=com doing parameter ldap user suffix = cn=users,cn=accounts doing parameter ldap group suffix = cn=groups,cn=accounts doing parameter ldap machine suffix = cn=computers,cn=accounts doing parameter rpc_server:epmapper = external doing parameter rpc_server:lsarpc = external doing parameter rpc_server:lsass = external doing parameter rpc_server:lsasd = external doing parameter rpc_server:samr = external doing parameter rpc_server:netlogon = external doing parameter rpc_server:tcpip = yes doing parameter rpc_daemon:epmd = fork doing parameter rpc_daemon:lsasd = fork doing parameter log level = 100 [2015/09/09 08:45:04.943367, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/debug.c:334(debug_dump_status) INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 [2015/09/09 08:45:04.943838, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2451(process_registry_service) process_registry_service: service name IPC$ [2015/09/09 08:45:04.943895, 7, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [IPC$] [2015/09/09 08:45:04.943944, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:846(regdb_open) regdb_open: incrementing refcount (2->3) [2015/09/09 08:45:04.943993, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\IPC$] [2015/09/09 08:45:04.944038, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\IPC$] [2015/09/09 08:45:04.944084, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [HKLM], new_path => [SOFTWARE\Samba\smbconf\IPC$] [2015/09/09 08:45:04.944128, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKLM] [2015/09/09 08:45:04.944212, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKPT] [2015/09/09 08:45:04.944259, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [HKLM] [2015/09/09 08:45:04.944303, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [SOFTWARE], new_path => [Samba\smbconf\IPC$] [2015/09/09 08:45:04.944348, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SOFTWARE] [2015/09/09 08:45:04.944396, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SYSTEM] [2015/09/09 08:45:04.944440, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [SOFTWARE] [2015/09/09 08:45:04.944484, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [Samba], new_path => [smbconf\IPC$] [2015/09/09 08:45:04.944527, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Microsoft] [2015/09/09 08:45:04.944570, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Samba] [2015/09/09 08:45:04.944613, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [Samba] [2015/09/09 08:45:04.944656, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [smbconf], new_path => [IPC$] [2015/09/09 08:45:04.944699, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [smbconf] [2015/09/09 08:45:04.944756, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [smbconf] [2015/09/09 08:45:04.944801, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [IPC$], new_path => [] [2015/09/09 08:45:04.944846, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Did not find [IPC$] [2015/09/09 08:45:04.944890, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:436(pathtree_find) pathtree_find: Found data_p! [2015/09/09 08:45:04.944933, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2015/09/09 08:45:04.944976, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f7114ef5bc0 for key [\HKLM\SOFTWARE\Samba\smbconf\IPC$] [2015/09/09 08:45:04.945026, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1722(regdb_fetch_keys_internal) regdb_fetch_keys: Enter key => [HKLM\SOFTWARE\Samba\smbconf\IPC$] [2015/09/09 08:45:04.945085, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1725(regdb_fetch_keys_internal) key [HKLM\SOFTWARE\Samba\smbconf\IPC$] not found [2015/09/09 08:45:04.945134, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:883(regdb_close) regdb_close: decrementing refcount (3->2) [2015/09/09 08:45:04.945231, 7, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:5171(lp_servicenumber) lp_servicenumber: couldn't find homes [2015/09/09 08:45:04.945289, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1777(lp_add_ipc) adding IPC service [2015/09/09 08:45:04.945378, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user IPA\admin [2015/09/09 08:45:04.945431, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is ipa\admin [2015/09/09 08:45:04.945478, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [IPA\admin]! [2015/09/09 08:45:04.945545, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:224(create_local_nt_token_from_info3) Create local NT token for admin [2015/09/09 08:45:04.945658, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-500]: value=[217400000:U] [2015/09/09 08:45:04.945719, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-500]: id=[217400000], endptr=[:U] [2015/09/09 08:45:04.945776, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1388(sid_to_uid) sid S-1-5-21-2755472311-3010766786-1504281988-500 -> uid 217400000 [2015/09/09 08:45:04.945988, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist) sys_getgrouplist: user [admin] [2015/09/09 08:45:04.947360, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1220(gid_to_sid) gid 217400000 -> sid S-1-5-21-2755472311-3010766786-1504281988-512 [2015/09/09 08:45:04.947513, 10, pid=11196, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-544] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1441781104 seconds in the past) ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.947832, 6, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:871(new_connection) accepted socket 24 [2015/09/09 08:45:04.947983, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:721(process_request) process_request: request fn INTERFACE_VERSION [2015/09/09 08:45:04.948044, 3, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) [11196]: request interface version [2015/09/09 08:45:04.948099, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a8760 [2015/09/09 08:45:04.948187, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a8760 [2015/09/09 08:45:04.948276, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:817(winbind_client_response_written) winbind_client_response_written[11196:INTERFACE_VERSION]: delivered response to client [2015/09/09 08:45:04.948696, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:721(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2015/09/09 08:45:04.948771, 3, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) [11196]: request location of privileged pipe [2015/09/09 08:45:04.948839, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a8760 [2015/09/09 08:45:04.948893, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a8760 [2015/09/09 08:45:04.948964, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:817(winbind_client_response_written) winbind_client_response_written[11196:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2015/09/09 08:45:04.949352, 6, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:871(new_connection) accepted socket 26 [2015/09/09 08:45:04.949460, 6, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(winbind_client_request_read) closing socket 24, client exited [2015/09/09 08:45:04.949548, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:694(process_request) process_request: Handling async request 11196:SID_TO_GID [2015/09/09 08:45:04.949606, 3, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_sid_to_gid.c:48(winbindd_sid_to_gid_send) sid to gid S-1-5-32-544 [2015/09/09 08:45:04.949661, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 0: S-1-5-32-544 [2015/09/09 08:45:04.949738, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsids.c:254(wb_lookupsids_bulk) No bulk setup for SID S-1-5-32-544 with 2 subauths [2015/09/09 08:45:04.949813, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-32-544) [2015/09/09 08:45:04.949865, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:794(find_lookup_domain_from_sid) calling find_domain_from_sid [2015/09/09 08:45:04.949924, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-544 [2015/09/09 08:45:04.950054, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a66c0 [2015/09/09 08:45:04.950110, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a66c0 [2015/09/09 08:45:04.950218, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Added timed event "tevent_req_timedout": 0x7f0e175aaff0 ==> /var/log/samba/log.wb-BUILTIN <== [2015/09/09 08:45:04.950415, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:72(child_read_request) Need to read 16 extra bytes [2015/09/09 08:45:04.950503, 4, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 59 [2015/09/09 08:45:04.950553, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:459(child_process_request) child_process_request: request fn NDRCMD [2015/09/09 08:45:04.950602, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSID (BUILTIN) [2015/09/09 08:45:04.950660, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-544 [2015/09/09 08:45:04.950781, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:1983(sid_to_name) sid_to_name: [Cached] - doing backend query for name for domain BUILTIN [2015/09/09 08:45:04.950830, 3, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_samr.c:681(sam_sid_to_name) sam_sid_to_name [2015/09/09 08:45:04.950957, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:68(make_internal_rpc_pipe_p) Create pipe requested lsarpc [2015/09/09 08:45:04.951022, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe lsarpc [2015/09/09 08:45:04.951072, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe lsarpc [2015/09/09 08:45:04.951183, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:108(make_internal_rpc_pipe_p) Created internal pipe lsarpc [2015/09/09 08:45:04.951271, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION [2015/09/09 08:45:04.951914, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION [2015/09/09 08:45:04.952553, 10, pid=10540, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0xb0000000 to 0x000f0fff [2015/09/09 08:45:04.952615, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:84(access_check_object) _lsa_OpenPolicy2: ACCESS should be DENIED (requested: 0x000f0fff) but overritten by euid == sec_initial_uid() [2015/09/09 08:45:04.952681, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:105(access_check_object) _lsa_OpenPolicy2: access GRANTED (requested: 0x000f0fff, granted: 0x000f0fff) [2015/09/09 08:45:04.952734, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.952834, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.953022, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b1080 [2015/09/09 08:45:04.953076, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b1080 [2015/09/09 08:45:04.953130, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.953346, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_client/cli_lsarpc.c:410(dcerpc_lsa_lookup_sids_generic) rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. [2015/09/09 08:45:04.953414, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-544 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) [2015/09/09 08:45:04.953864, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-544 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) [2015/09/09 08:45:04.954326, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.954467, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:725(check_dom_sid_to_level) Accepting SID S-1-5-32 in level 1 [2015/09/09 08:45:04.954535, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:486(lookup_rids) lookup_rids called for domain sid 'S-1-5-32' [2015/09/09 08:45:04.954605, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/lsa/srv_lsa_nt.c:942(_lsa_lookup_sids_internal) num_sids 1, mapped_count 1, status NT_STATUS_OK [2015/09/09 08:45:04.954680, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK [2015/09/09 08:45:04.955540, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b3350 [2015/09/09 08:45:04.955598, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b3350 [2015/09/09 08:45:04.955664, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK [2015/09/09 08:45:04.956402, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_client/cli_lsarpc.c:253(dcerpc_lsa_lookup_sids_noalloc) LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' [2015/09/09 08:45:04.956475, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.956631, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.956775, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.956871, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.957023, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2015/09/09 08:45:04.957072, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.957281, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175c31a0 [2015/09/09 08:45:04.957334, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175c31a0 [2015/09/09 08:45:04.957386, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.957571, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection lsarpc [2015/09/09 08:45:04.957647, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:453(fetch_cache_seqnum) fetch_cache_seqnum: timeout [BUILTIN][1441780731 @ 1441780731] [2015/09/09 08:45:04.957701, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4731(wcache_tdc_fetch_domain) wcache_tdc_fetch_domain: Searching for domain BUILTIN [2015/09/09 08:45:04.957756, 18, pid=10540, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(d, 93) -> 4 [2015/09/09 08:45:04.957805, 18, pid=10540, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fffddd, 89) -> 30 [2015/09/09 08:45:04.957850, 11, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4556(unpack_tdc_domains) unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 [2015/09/09 08:45:04.957901, 18, pid=10540, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:286(tdb_unpack) tdb_unpack(fffddd, 59) -> 59 [2015/09/09 08:45:04.957946, 11, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4556(unpack_tdc_domains) unpack_tdc_domains: Unpacking domain IPA () SID S-1-5-21-2755472311-3010766786-1504281988, flags = 0x0, attribs = 0x0, type = 0x0 [2015/09/09 08:45:04.957996, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4746(wcache_tdc_fetch_domain) wcache_tdc_fetch_domain: Found domain BUILTIN [2015/09/09 08:45:04.958045, 3, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_samr.c:1061(sam_sequence_number) samr: sequence number [2015/09/09 08:45:04.958177, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:68(make_internal_rpc_pipe_p) Create pipe requested samr [2015/09/09 08:45:04.958253, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe samr [2015/09/09 08:45:04.958302, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe samr [2015/09/09 08:45:04.958381, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:108(make_internal_rpc_pipe_p) Created internal pipe samr [2015/09/09 08:45:04.958447, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Connect2: struct samr_Connect2 in: struct samr_Connect2 system_name : NULL access_mask : 0x02000000 (33554432) 0: SAMR_ACCESS_CONNECT_TO_SERVER 0: SAMR_ACCESS_SHUTDOWN_SERVER 0: SAMR_ACCESS_INITIALIZE_SERVER 0: SAMR_ACCESS_CREATE_DOMAIN 0: SAMR_ACCESS_ENUM_DOMAINS 0: SAMR_ACCESS_LOOKUP_DOMAIN [2015/09/09 08:45:04.958666, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Connect2: struct samr_Connect2 in: struct samr_Connect2 system_name : NULL access_mask : 0x02000000 (33554432) 0: SAMR_ACCESS_CONNECT_TO_SERVER 0: SAMR_ACCESS_SHUTDOWN_SERVER 0: SAMR_ACCESS_INITIALIZE_SERVER 0: SAMR_ACCESS_CREATE_DOMAIN 0: SAMR_ACCESS_ENUM_DOMAINS 0: SAMR_ACCESS_LOOKUP_DOMAIN [2015/09/09 08:45:04.958889, 5, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/samr/srv_samr_nt.c:3866(_samr_Connect2) _samr_Connect2: 3866 [2015/09/09 08:45:04.958945, 10, pid=10540, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0xb0000000 to 0x000f003f [2015/09/09 08:45:04.958995, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:84(access_check_object) _samr_Connect2: ACCESS should be DENIED (requested: 0x000f003f) but overritten by euid == sec_initial_uid() [2015/09/09 08:45:04.959057, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:105(access_check_object) _samr_Connect2: access GRANTED (requested: 0x000f003f, granted: 0x000f003f) [2015/09/09 08:45:04.959106, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.959243, 5, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/samr/srv_samr_nt.c:3895(_samr_Connect2) _samr_Connect2: 3895 [2015/09/09 08:45:04.959291, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Connect2: struct samr_Connect2 out: struct samr_Connect2 connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.959463, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b3350 [2015/09/09 08:45:04.959514, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b3350 [2015/09/09 08:45:04.959567, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Connect2: struct samr_Connect2 out: struct samr_Connect2 connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.959749, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-ef55-70d52c290000 access_mask : 0x02000000 (33554432) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-32 [2015/09/09 08:45:04.960219, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-ef55-70d52c290000 access_mask : 0x02000000 (33554432) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-32 [2015/09/09 08:45:04.960618, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.960715, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:523(_policy_handle_find) found handle of type struct samr_connect_info [2015/09/09 08:45:04.960767, 10, pid=10540, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0xb0000000 to 0x000f07ff [2015/09/09 08:45:04.960814, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:69(access_check_object) access_check_object: user rights access mask [0x3f0] [2015/09/09 08:45:04.960860, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:84(access_check_object) _samr_OpenDomain: ACCESS should be DENIED (requested: 0x000f040f) but overritten by euid == sec_initial_uid() [2015/09/09 08:45:04.960921, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:105(access_check_object) _samr_OpenDomain: access GRANTED (requested: 0x000f040f, granted: 0x000f07ff) [2015/09/09 08:45:04.960971, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[2] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.961066, 5, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/samr/srv_samr_nt.c:500(_samr_OpenDomain) _samr_OpenDomain: 500 [2015/09/09 08:45:04.961111, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.963576, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b42c0 [2015/09/09 08:45:04.963720, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b42c0 [2015/09/09 08:45:04.963854, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.964070, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_QueryDomainInfo: struct samr_QueryDomainInfo in: struct samr_QueryDomainInfo domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 level : DomainModifiedInformation (8) [2015/09/09 08:45:04.964296, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_QueryDomainInfo: struct samr_QueryDomainInfo in: struct samr_QueryDomainInfo domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 level : DomainModifiedInformation (8) [2015/09/09 08:45:04.964465, 5, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/samr/srv_samr_nt.c:3499(_samr_QueryDomainInfo) _samr_QueryDomainInfo: 3499 [2015/09/09 08:45:04.964516, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.964613, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:523(_policy_handle_find) found handle of type struct samr_domain_info [2015/09/09 08:45:04.964663, 5, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/samr/srv_samr_nt.c:3589(_samr_QueryDomainInfo) _samr_QueryDomainInfo: 3589 [2015/09/09 08:45:04.964707, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_QueryDomainInfo: struct samr_QueryDomainInfo out: struct samr_QueryDomainInfo info : * info : * info : union samr_DomainInfo(case 8) info8: struct samr_DomInfo8 sequence_num : 0x0000000055efd570 (1441781104) domain_create_time : NTTIME(0) result : NT_STATUS_OK [2015/09/09 08:45:04.964919, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175cb7a0 [2015/09/09 08:45:04.964971, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175cb7a0 [2015/09/09 08:45:04.965025, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_QueryDomainInfo: struct samr_QueryDomainInfo out: struct samr_QueryDomainInfo info : * info : * info : union samr_DomainInfo(case 8) info8: struct samr_DomInfo8 sequence_num : 0x0000000055efd570 (1441781104) domain_create_time : NTTIME(0) result : NT_STATUS_OK [2015/09/09 08:45:04.965283, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_rpc.c:955(rpc_sequence_number) domain_sequence_number: for domain BUILTIN is 1441781104 [2015/09/09 08:45:04.965351, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.965504, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.965648, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.965743, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2015/09/09 08:45:04.965787, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.965952, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175cb7a0 [2015/09/09 08:45:04.966002, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175cb7a0 [2015/09/09 08:45:04.966052, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.966262, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection samr [2015/09/09 08:45:04.966350, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:496(wcache_store_seqnum) wcache_store_seqnum: success [BUILTIN][1441781104 @ 1441781104] [2015/09/09 08:45:04.966405, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:583(refresh_sequence_number) refresh_sequence_number: BUILTIN seq number is now 1441781104 [2015/09/09 08:45:04.966469, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:991(wcache_save_sid_to_name) wcache_save_sid_to_name: S-1-5-32-544 -> BUILTIN\Administrators (NT_STATUS_OK) [2015/09/09 08:45:04.966522, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Administrators' result : NT_STATUS_OK [2015/09/09 08:45:04.966771, 4, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 59 [2015/09/09 08:45:04.966820, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler) Writing 3560 bytes to parent ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.967109, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Destroying timer event 0x7f0e175aaff0 "tevent_req_timedout" [2015/09/09 08:45:04.967274, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Administrators' result : NT_STATUS_OK [2015/09/09 08:45:04.967534, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000220 (544) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2015/09/09 08:45:04.968103, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.968240, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.968306, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Added timed event "tevent_req_timedout": 0x7f0e175a3190 ==> /var/log/samba/log.winbindd-idmap <== [2015/09/09 08:45:04.968435, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:72(child_read_request) Need to read 98 extra bytes [2015/09/09 08:45:04.968520, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 59 [2015/09/09 08:45:04.968583, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:459(child_process_request) child_process_request: request fn NDRCMD [2015/09/09 08:45:04.968631, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_SIDS2UNIXIDS (no domain) [2015/09/09 08:45:04.968700, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000220 (544) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2015/09/09 08:45:04.969311, 1, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/09 08:45:04.969365, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:135(_wbint_Sids2UnixIDs) idmap domain BUILTIN:S-1-5-32 not found [2015/09/09 08:45:04.969414, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000220 (544) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) result : NT_STATUS_OK [2015/09/09 08:45:04.969713, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 59 [2015/09/09 08:45:04.969761, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler) Writing 3528 bytes to parent ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.971034, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Destroying timer event 0x7f0e175a3190 "tevent_req_timedout" [2015/09/09 08:45:04.971134, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000220 (544) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) result : NT_STATUS_OK [2015/09/09 08:45:04.971594, 10, pid=10537, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-544] and timeout=[Wed Sep 9 08:47:04 AM 2015 CEST] (120 seconds ahead) [2015/09/09 08:45:04.971706, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:756(wb_request_done) wb_request_done[11196:SID_TO_GID]: NT_STATUS_OK [2015/09/09 08:45:04.971778, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.971834, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.971908, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:817(winbind_client_response_written) winbind_client_response_written[11196:SID_TO_GID]: delivered response to client ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:04.971999, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1442(sid_to_gid) sid S-1-5-32-544 -> gid 4294967295 [2015/09/09 08:45:04.972124, 10, pid=11196, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-545] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1441781104 seconds in the past) ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.972673, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:694(process_request) process_request: Handling async request 11196:SID_TO_GID [2015/09/09 08:45:04.972783, 3, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_sid_to_gid.c:48(winbindd_sid_to_gid_send) sid to gid S-1-5-32-545 [2015/09/09 08:45:04.972841, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 0: S-1-5-32-545 [2015/09/09 08:45:04.972912, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsids.c:254(wb_lookupsids_bulk) No bulk setup for SID S-1-5-32-545 with 2 subauths [2015/09/09 08:45:04.972970, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-32-545) [2015/09/09 08:45:04.973020, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:794(find_lookup_domain_from_sid) calling find_domain_from_sid [2015/09/09 08:45:04.973073, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-545 [2015/09/09 08:45:04.973281, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a66c0 [2015/09/09 08:45:04.973342, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a66c0 [2015/09/09 08:45:04.973400, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Added timed event "tevent_req_timedout": 0x7f0e175a6190 ==> /var/log/samba/log.wb-BUILTIN <== [2015/09/09 08:45:04.973717, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:72(child_read_request) Need to read 16 extra bytes [2015/09/09 08:45:04.973824, 4, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 59 [2015/09/09 08:45:04.973875, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:459(child_process_request) child_process_request: request fn NDRCMD [2015/09/09 08:45:04.973921, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSID (BUILTIN) [2015/09/09 08:45:04.973975, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-545 [2015/09/09 08:45:04.974091, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:1983(sid_to_name) sid_to_name: [Cached] - doing backend query for name for domain BUILTIN [2015/09/09 08:45:04.974190, 3, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_samr.c:681(sam_sid_to_name) sam_sid_to_name [2015/09/09 08:45:04.974315, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:68(make_internal_rpc_pipe_p) Create pipe requested lsarpc [2015/09/09 08:45:04.974379, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe lsarpc [2015/09/09 08:45:04.974428, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe lsarpc [2015/09/09 08:45:04.974505, 4, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:108(make_internal_rpc_pipe_p) Created internal pipe lsarpc [2015/09/09 08:45:04.974577, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION [2015/09/09 08:45:04.975248, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION [2015/09/09 08:45:04.975843, 10, pid=10540, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0xb0000000 to 0x000f0fff [2015/09/09 08:45:04.975899, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:84(access_check_object) _lsa_OpenPolicy2: ACCESS should be DENIED (requested: 0x000f0fff) but overritten by euid == sec_initial_uid() [2015/09/09 08:45:04.975963, 4, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_server/srv_access_check.c:105(access_check_object) _lsa_OpenPolicy2: access GRANTED (requested: 0x000f0fff, granted: 0x000f0fff) [2015/09/09 08:45:04.976015, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.976113, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.976339, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b3dc0 [2015/09/09 08:45:04.976394, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b3dc0 [2015/09/09 08:45:04.976447, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 result : NT_STATUS_OK [2015/09/09 08:45:04.976622, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_client/cli_lsarpc.c:410(dcerpc_lsa_lookup_sids_generic) rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. [2015/09/09 08:45:04.976686, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-545 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) [2015/09/09 08:45:04.977126, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-545 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) [2015/09/09 08:45:04.977588, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.977696, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:725(check_dom_sid_to_level) Accepting SID S-1-5-32 in level 1 [2015/09/09 08:45:04.977762, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:486(lookup_rids) lookup_rids called for domain sid 'S-1-5-32' [2015/09/09 08:45:04.977819, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/lsa/srv_lsa_nt.c:942(_lsa_lookup_sids_internal) num_sids 1, mapped_count 1, status NT_STATUS_OK [2015/09/09 08:45:04.977867, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK [2015/09/09 08:45:04.978571, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b1e50 [2015/09/09 08:45:04.978627, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b1e50 [2015/09/09 08:45:04.978691, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK [2015/09/09 08:45:04.979413, 10, pid=10540, effective(0, 0), real(0, 0)] ../source3/rpc_client/cli_lsarpc.c:253(dcerpc_lsa_lookup_sids_noalloc) LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' [2015/09/09 08:45:04.979482, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.979637, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-ef55-70d52c290000 [2015/09/09 08:45:04.979780, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.979878, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 EF 55 70 D5 ........ .....Up. [0010] 2C 29 00 00 ,).. [2015/09/09 08:45:04.980013, 6, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2015/09/09 08:45:04.980062, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.980272, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175b1e50 [2015/09/09 08:45:04.980325, 50, pid=10540, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175b1e50 [2015/09/09 08:45:04.980377, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2015/09/09 08:45:04.980560, 10, pid=10540, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection lsarpc [2015/09/09 08:45:04.980622, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:538(refresh_sequence_number) refresh_sequence_number: BUILTIN time ok [2015/09/09 08:45:04.980668, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:583(refresh_sequence_number) refresh_sequence_number: BUILTIN seq number is now 1441781104 [2015/09/09 08:45:04.980736, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:991(wcache_save_sid_to_name) wcache_save_sid_to_name: S-1-5-32-545 -> BUILTIN\Users (NT_STATUS_OK) [2015/09/09 08:45:04.980790, 1, pid=10540, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Users' result : NT_STATUS_OK [2015/09/09 08:45:04.981029, 4, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 59 [2015/09/09 08:45:04.981095, 10, pid=10540, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler) Writing 3552 bytes to parent ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.981448, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Destroying timer event 0x7f0e175a6190 "tevent_req_timedout" [2015/09/09 08:45:04.981576, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Users' result : NT_STATUS_OK [2015/09/09 08:45:04.981847, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000221 (545) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2015/09/09 08:45:04.982450, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.982511, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.982569, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Added timed event "tevent_req_timedout": 0x7f0e175a2b80 ==> /var/log/samba/log.winbindd-idmap <== [2015/09/09 08:45:04.982721, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:72(child_read_request) Need to read 98 extra bytes [2015/09/09 08:45:04.982814, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 59 [2015/09/09 08:45:04.982864, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:459(child_process_request) child_process_request: request fn NDRCMD [2015/09/09 08:45:04.982909, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_SIDS2UNIXIDS (no domain) [2015/09/09 08:45:04.982973, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000221 (545) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2015/09/09 08:45:04.983599, 1, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/09 08:45:04.983652, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:135(_wbint_Sids2UnixIDs) idmap domain BUILTIN:S-1-5-32 not found [2015/09/09 08:45:04.983701, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000221 (545) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) result : NT_STATUS_OK [2015/09/09 08:45:04.984010, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 59 [2015/09/09 08:45:04.984059, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler) Writing 3528 bytes to parent ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.985894, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Destroying timer event 0x7f0e175a2b80 "tevent_req_timedout" [2015/09/09 08:45:04.986081, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000221 (545) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) result : NT_STATUS_OK [2015/09/09 08:45:04.986526, 10, pid=10537, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-545] and timeout=[Wed Sep 9 08:47:04 AM 2015 CEST] (120 seconds ahead) [2015/09/09 08:45:04.986625, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:756(wb_request_done) wb_request_done[11196:SID_TO_GID]: NT_STATUS_OK [2015/09/09 08:45:04.986685, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.986739, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.986813, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:817(winbind_client_response_written) winbind_client_response_written[11196:SID_TO_GID]: delivered response to client ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:04.986896, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1442(sid_to_gid) sid S-1-5-32-545 -> gid 4294967295 [2015/09/09 08:45:04.986980, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.987032, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.987080, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.987126, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.987210, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.987370, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.987446, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2755472311-3010766786-1504281988-500] [2015/09/09 08:45:04.987508, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2755472311-3010766786-1504281988-512] [2015/09/09 08:45:04.987565, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:176(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2015/09/09 08:45:04.987633, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2015/09/09 08:45:04.987686, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2015/09/09 08:45:04.987753, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-500]: value=[217400000:U] [2015/09/09 08:45:04.987804, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-500]: id=[217400000], endptr=[:U] [2015/09/09 08:45:04.987865, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-512]: value=[217400000:G] [2015/09/09 08:45:04.987913, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-2755472311-3010766786-1504281988-512]: id=[217400000], endptr=[:G] [2015/09/09 08:45:04.987979, 10, pid=11196, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-1-0] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1441781104 seconds in the past) [2015/09/09 08:45:04.988079, 10, pid=11196, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-2] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1441781104 seconds in the past) [2015/09/09 08:45:04.988206, 10, pid=11196, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-11] and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1441781104 seconds in the past) ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.988849, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:694(process_request) process_request: Handling async request 11196:SIDS_TO_XIDS [2015/09/09 08:45:04.988937, 3, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send) sids_to_xids [2015/09/09 08:45:04.988994, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_sids_to_xids.c:68(winbindd_sids_to_xids_send) num_sids: 3 [2015/09/09 08:45:04.989044, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 0: S-1-1-0 [2015/09/09 08:45:04.989109, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 1: S-1-5-2 [2015/09/09 08:45:04.989216, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 2: S-1-5-11 [2015/09/09 08:45:04.989285, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsids.c:254(wb_lookupsids_bulk) No bulk setup for SID S-1-1-0 with 1 subauths [2015/09/09 08:45:04.989338, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsids.c:254(wb_lookupsids_bulk) No bulk setup for SID S-1-5-2 with 1 subauths [2015/09/09 08:45:04.989385, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsids.c:254(wb_lookupsids_bulk) No bulk setup for SID S-1-5-11 with 1 subauths [2015/09/09 08:45:04.989436, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-1-0) [2015/09/09 08:45:04.989487, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:794(find_lookup_domain_from_sid) calling find_domain_from_sid [2015/09/09 08:45:04.989545, 5, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsid.c:53(wb_lookupsid_send) Could not find domain for sid S-1-1-0 [2015/09/09 08:45:04.989596, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.989649, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.989704, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-2) [2015/09/09 08:45:04.989753, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:794(find_lookup_domain_from_sid) calling find_domain_from_sid [2015/09/09 08:45:04.989798, 5, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsid.c:53(wb_lookupsid_send) Could not find domain for sid S-1-5-2 [2015/09/09 08:45:04.989847, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.989903, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.989976, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-11) [2015/09/09 08:45:04.990072, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:794(find_lookup_domain_from_sid) calling find_domain_from_sid [2015/09/09 08:45:04.990132, 5, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_lookupsid.c:53(wb_lookupsid_send) Could not find domain for sid S-1-5-11 [2015/09/09 08:45:04.990233, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.990317, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x7f0e175a1a90 [2015/09/09 08:45:04.990401, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-1 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-5 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000003 (3) ids: ARRAY(3) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000000 (0) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000002 (2) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x0000000b (11) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) [2015/09/09 08:45:04.991486, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.991548, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a2eb0 [2015/09/09 08:45:04.991606, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Added timed event "tevent_req_timedout": 0x7f0e175a8760 ==> /var/log/samba/log.winbindd-idmap <== [2015/09/09 08:45:04.992239, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:72(child_read_request) Need to read 154 extra bytes [2015/09/09 08:45:04.992342, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler) child daemon request 59 [2015/09/09 08:45:04.992394, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:459(child_process_request) child_process_request: request fn NDRCMD [2015/09/09 08:45:04.992439, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_SIDS2UNIXIDS (no domain) [2015/09/09 08:45:04.992504, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-1 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-5 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000003 (3) ids: ARRAY(3) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000000 (0) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000002 (2) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x0000000b (11) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) [2015/09/09 08:45:04.993565, 10, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain) idmap_find_domain called for domain '' [2015/09/09 08:45:04.993643, 1, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/09 08:45:04.993693, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:135(_wbint_Sids2UnixIDs) idmap domain :S-1-1 not found [2015/09/09 08:45:04.993745, 10, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain) idmap_find_domain called for domain '' [2015/09/09 08:45:04.993797, 1, pid=10539, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/09 08:45:04.993843, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:135(_wbint_Sids2UnixIDs) idmap domain :S-1-5 not found [2015/09/09 08:45:04.993890, 1, pid=10539, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000003 (3) ids: ARRAY(3) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000000 (0) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000002 (2) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x0000000b (11) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) result : NT_STATUS_OK [2015/09/09 08:45:04.994507, 4, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler) Finished processing child request 59 [2015/09/09 08:45:04.994559, 10, pid=10539, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler) Writing 3568 bytes to parent ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:04.995181, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Destroying timer event 0x7f0e175a8760 "tevent_req_timedout" [2015/09/09 08:45:04.995279, 1, pid=10537, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000003 (3) ids: ARRAY(3) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000000 (0) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000002 (2) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x0000000b (11) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) result : NT_STATUS_OK [2015/09/09 08:45:04.995965, 10, pid=10537, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-1-0] and timeout=[Wed Sep 9 08:47:04 AM 2015 CEST] (120 seconds ahead) [2015/09/09 08:45:04.996064, 10, pid=10537, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-2] and timeout=[Wed Sep 9 08:47:04 AM 2015 CEST] (120 seconds ahead) [2015/09/09 08:45:04.996179, 10, pid=10537, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:296(gencache_set_data_blob) Adding cache entry with key=[IDMAP/SID2XID/S-1-5-11] and timeout=[Wed Sep 9 08:47:04 AM 2015 CEST] (120 seconds ahead) [2015/09/09 08:45:04.996290, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:756(wb_request_done) wb_request_done[11196:SIDS_TO_XIDS]: NT_STATUS_OK [2015/09/09 08:45:04.996353, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.996407, 50, pid=10537, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f0e175a05f0 [2015/09/09 08:45:04.996533, 10, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:817(winbind_client_response_written) winbind_client_response_written[11196:SIDS_TO_XIDS]: delivered response to client ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:04.996794, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.996877, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.996927, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.996973, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.997017, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.997108, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.997228, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-1-0 [2015/09/09 08:45:04.997286, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.997332, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.997377, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.997421, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.997465, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.997538, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.997586, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-1-0 [2015/09/09 08:45:04.997633, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.997678, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.997722, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.997766, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.997808, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.997879, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.997927, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-5-2 [2015/09/09 08:45:04.997974, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998018, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.998062, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998119, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.998227, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.998307, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.998356, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-5-2 [2015/09/09 08:45:04.998404, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998448, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.998493, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998536, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.998579, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.998650, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.998697, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-5-11 [2015/09/09 08:45:04.998744, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998795, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:04.998856, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:04.998906, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:04.998958, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:04.999041, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:04.999098, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1094(legacy_sid_to_unixid) LEGACY: mapping failed for sid S-1-5-11 [2015/09/09 08:45:04.999243, 10, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:585(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2015/09/09 08:45:04.999322, 10, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:585(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2015/09/09 08:45:04.999386, 10, pid=11196, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:585(create_local_token) Could not convert SID S-1-5-11 to gid, ignoring it [2015/09/09 08:45:04.999453, 10, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (7): SID[ 0]: S-1-5-21-2755472311-3010766786-1504281988-500 SID[ 1]: S-1-5-21-2755472311-3010766786-1504281988-512 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-217400000 SID[ 6]: S-1-22-2-217400000 Privileges (0x 0): Rights (0x 0): [2015/09/09 08:45:04.999673, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 217400000 Primary group is 217400000 and contains 1 supplementary groups Group[ 0]: 217400000 [2015/09/09 08:45:04.999761, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:133(auth3_generate_session_info_pac) ../source3/auth/auth_generic.c:133OK: user: admin domain: IPA client: 192.168.0.65 [2015/09/09 08:45:04.999869, 7, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:5171(lp_servicenumber) lp_servicenumber: couldn't find admin [2015/09/09 08:45:04.999925, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user admin [2015/09/09 08:45:04.999970, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is admin [2015/09/09 08:45:05.001265, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [admin]! [2015/09/09 08:45:05.001350, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/password.c:144(register_homes_share) Adding homes service for user 'admin' using home directory: '/home/admin' [2015/09/09 08:45:05.001444, 7, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:5171(lp_servicenumber) lp_servicenumber: couldn't find homes [2015/09/09 08:45:05.001499, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2451(process_registry_service) process_registry_service: service name homes [2015/09/09 08:45:05.001576, 7, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [homes] [2015/09/09 08:45:05.001660, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:846(regdb_open) regdb_open: incrementing refcount (2->3) [2015/09/09 08:45:05.001771, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\homes] [2015/09/09 08:45:05.001859, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\homes] [2015/09/09 08:45:05.001932, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [HKLM], new_path => [SOFTWARE\Samba\smbconf\homes] [2015/09/09 08:45:05.002007, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKLM] [2015/09/09 08:45:05.002103, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [HKPT] [2015/09/09 08:45:05.002227, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [HKLM] [2015/09/09 08:45:05.002300, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [SOFTWARE], new_path => [Samba\smbconf\homes] [2015/09/09 08:45:05.002365, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SOFTWARE] [2015/09/09 08:45:05.002430, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [SYSTEM] [2015/09/09 08:45:05.002488, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [SOFTWARE] [2015/09/09 08:45:05.002533, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [Samba], new_path => [smbconf\homes] [2015/09/09 08:45:05.002590, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Microsoft] [2015/09/09 08:45:05.002635, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [Samba] [2015/09/09 08:45:05.002679, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [Samba] [2015/09/09 08:45:05.002723, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [smbconf], new_path => [homes] [2015/09/09 08:45:05.002766, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:184(pathtree_find_child) pathtree_find_child: child key => [smbconf] [2015/09/09 08:45:05.002809, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Found [smbconf] [2015/09/09 08:45:05.002852, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:413(pathtree_find) pathtree_find: [loop] base => [homes], new_path => [] [2015/09/09 08:45:05.002895, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:200(pathtree_find_child) pathtree_find_child: Did not find [homes] [2015/09/09 08:45:05.002938, 11, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:436(pathtree_find) pathtree_find: Found data_p! [2015/09/09 08:45:05.002981, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2015/09/09 08:45:05.003024, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f7114ef5bc0 for key [\HKLM\SOFTWARE\Samba\smbconf\homes] [2015/09/09 08:45:05.003074, 11, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1722(regdb_fetch_keys_internal) regdb_fetch_keys: Enter key => [HKLM\SOFTWARE\Samba\smbconf\homes] [2015/09/09 08:45:05.003138, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:1725(regdb_fetch_keys_internal) key [HKLM\SOFTWARE\Samba\smbconf\homes] not found [2015/09/09 08:45:05.003228, 10, pid=11196, effective(0, 0), real(0, 0), class=registry] ../source3/registry/reg_backend_db.c:883(regdb_close) regdb_close: decrementing refcount (3->2) [2015/09/09 08:45:05.003283, 7, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:5171(lp_servicenumber) lp_servicenumber: couldn't find homes [2015/09/09 08:45:05.003353, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_session_global.tdb [2015/09/09 08:45:05.003402, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_session_global.tdb 2: 3: [2015/09/09 08:45:05.003454, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 85785D5B [2015/09/09 08:45:05.003506, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a678e0 [2015/09/09 08:45:05.003629, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:854(smbXsrv_session_global_store) [2015/09/09 08:45:05.003669, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:856(smbXsrv_session_global_store) smbXsrv_session_global_store: key '85785D5B' stored [2015/09/09 08:45:05.003716, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000002 (2) info : union smbXsrv_session_globalU(case 0) info0 : * info0: struct smbXsrv_session_global0 db_rec : * session_global_id : 0x85785d5b (2239257947) session_wire_id : 0x0000000000004d9d (19869) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_session_info_seqnum : 0x00000001 (1) auth_session_info : * auth_session_info: struct auth_session_info security_token : * security_token: struct security_token num_sids : 0x00000007 (7) sids: ARRAY(7) sids : S-1-5-21-2755472311-3010766786-1504281988-500 sids : S-1-5-21-2755472311-3010766786-1504281988-512 sids : S-1-1-0 sids : S-1-5-2 sids : S-1-5-11 sids : S-1-22-1-217400000 sids : S-1-22-2-217400000 privilege_mask : 0x0000000000000000 (0) 0: SEC_PRIV_MACHINE_ACCOUNT_BIT 0: SEC_PRIV_PRINT_OPERATOR_BIT 0: SEC_PRIV_ADD_USERS_BIT 0: SEC_PRIV_DISK_OPERATOR_BIT 0: SEC_PRIV_REMOTE_SHUTDOWN_BIT 0: SEC_PRIV_BACKUP_BIT 0: SEC_PRIV_RESTORE_BIT 0: SEC_PRIV_TAKE_OWNERSHIP_BIT 0: SEC_PRIV_INCREASE_QUOTA_BIT 0: SEC_PRIV_SECURITY_BIT 0: SEC_PRIV_LOAD_DRIVER_BIT 0: SEC_PRIV_SYSTEM_PROFILE_BIT 0: SEC_PRIV_SYSTEMTIME_BIT 0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT 0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT 0: SEC_PRIV_CREATE_PAGEFILE_BIT 0: SEC_PRIV_SHUTDOWN_BIT 0: SEC_PRIV_DEBUG_BIT 0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT 0: SEC_PRIV_CHANGE_NOTIFY_BIT 0: SEC_PRIV_UNDOCK_BIT 0: SEC_PRIV_ENABLE_DELEGATION_BIT 0: SEC_PRIV_MANAGE_VOLUME_BIT 0: SEC_PRIV_IMPERSONATE_BIT 0: SEC_PRIV_CREATE_GLOBAL_BIT rights_mask : 0x00000000 (0) 0: LSA_POLICY_MODE_INTERACTIVE 0: LSA_POLICY_MODE_NETWORK 0: LSA_POLICY_MODE_BATCH 0: LSA_POLICY_MODE_SERVICE 0: LSA_POLICY_MODE_PROXY 0: LSA_POLICY_MODE_DENY_INTERACTIVE 0: LSA_POLICY_MODE_DENY_NETWORK 0: LSA_POLICY_MODE_DENY_BATCH 0: LSA_POLICY_MODE_DENY_SERVICE 0: LSA_POLICY_MODE_REMOTE_INTERACTIVE 0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE 0x00: LSA_POLICY_MODE_ALL (0) 0x00: LSA_POLICY_MODE_ALL_NT4 (0) unix_token : * unix_token: struct security_unix_token uid : 0x000000000cf542c0 (217400000) gid : 0x000000000cf542c0 (217400000) ngroups : 0x00000001 (1) groups: ARRAY(1) groups : 0x000000000cf542c0 (217400000) info : * info: struct auth_user_info account_name : * account_name : 'admin' domain_name : * domain_name : 'IPA' full_name : * full_name : 'Administrator' logon_script : * logon_script : '' profile_path : * profile_path : '' home_directory : * home_directory : '' home_drive : * home_drive : '' logon_server : * logon_server : 'SRV01' last_logon : NTTIME(0) last_logoff : Thu Jan 1 01:00:00 AM 1970 CET acct_expiry : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Mon Sep 7 12:17:41 PM 2015 CEST allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * unix_info: struct auth_user_info_unix unix_name : * unix_name : 'admin' sanitized_username : * sanitized_username : 'admin' torture : NULL credentials : NULL connection_dialect : 0x0000 (0) signing_required : 0x00 (0) encryption_required : 0x00 (0) num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) local_address : 'ipv4:192.168.0.65:445' remote_address : 'ipv4: 192.168.0.65:46193' remote_name : '192.168.0.65' auth_session_info_seqnum : 0x00000001 (1) [2015/09/09 08:45:05.006316, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 85785D5B [2015/09/09 08:45:05.006370, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_session_global.tdb [2015/09/09 08:45:05.006416, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.006464, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:1270(smbXsrv_session_update) [2015/09/09 08:45:05.006492, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_session.c:1278(smbXsrv_session_update) smbXsrv_session_update: global_id (0x85785d5b) stored [2015/09/09 08:45:05.006536, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL connection : * local_id : 0x00004d9d (19869) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x85785d5b (2239257947) session_wire_id : 0x0000000000004d9d (19869) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_session_info_seqnum : 0x00000001 (1) auth_session_info : * auth_session_info: struct auth_session_info security_token : * security_token: struct security_token num_sids : 0x00000007 (7) sids: ARRAY(7) sids : S-1-5-21-2755472311-3010766786-1504281988-500 sids : S-1-5-21-2755472311-3010766786-1504281988-512 sids : S-1-1-0 sids : S-1-5-2 sids : S-1-5-11 sids : S-1-22-1-217400000 sids : S-1-22-2-217400000 privilege_mask : 0x0000000000000000 (0) 0: SEC_PRIV_MACHINE_ACCOUNT_BIT 0: SEC_PRIV_PRINT_OPERATOR_BIT 0: SEC_PRIV_ADD_USERS_BIT 0: SEC_PRIV_DISK_OPERATOR_BIT 0: SEC_PRIV_REMOTE_SHUTDOWN_BIT 0: SEC_PRIV_BACKUP_BIT 0: SEC_PRIV_RESTORE_BIT 0: SEC_PRIV_TAKE_OWNERSHIP_BIT 0: SEC_PRIV_INCREASE_QUOTA_BIT 0: SEC_PRIV_SECURITY_BIT 0: SEC_PRIV_LOAD_DRIVER_BIT 0: SEC_PRIV_SYSTEM_PROFILE_BIT 0: SEC_PRIV_SYSTEMTIME_BIT 0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT 0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT 0: SEC_PRIV_CREATE_PAGEFILE_BIT 0: SEC_PRIV_SHUTDOWN_BIT 0: SEC_PRIV_DEBUG_BIT 0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT 0: SEC_PRIV_CHANGE_NOTIFY_BIT 0: SEC_PRIV_UNDOCK_BIT 0: SEC_PRIV_ENABLE_DELEGATION_BIT 0: SEC_PRIV_MANAGE_VOLUME_BIT 0: SEC_PRIV_IMPERSONATE_BIT 0: SEC_PRIV_CREATE_GLOBAL_BIT rights_mask : 0x00000000 (0) 0: LSA_POLICY_MODE_INTERACTIVE 0: LSA_POLICY_MODE_NETWORK 0: LSA_POLICY_MODE_BATCH 0: LSA_POLICY_MODE_SERVICE 0: LSA_POLICY_MODE_PROXY 0: LSA_POLICY_MODE_DENY_INTERACTIVE 0: LSA_POLICY_MODE_DENY_NETWORK 0: LSA_POLICY_MODE_DENY_BATCH 0: LSA_POLICY_MODE_DENY_SERVICE 0: LSA_POLICY_MODE_REMOTE_INTERACTIVE 0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE 0x00: LSA_POLICY_MODE_ALL (0) 0x00: LSA_POLICY_MODE_ALL_NT4 (0) unix_token : * unix_token: struct security_unix_token uid : 0x000000000cf542c0 (217400000) gid : 0x000000000cf542c0 (217400000) ngroups : 0x00000001 (1) groups: ARRAY(1) groups : 0x000000000cf542c0 (217400000) info : * info: struct auth_user_info account_name : * account_name : 'admin' domain_name : * domain_name : 'IPA' full_name : * full_name : 'Administrator' logon_script : * logon_script : '' profile_path : * profile_path : '' home_directory : * home_directory : '' home_drive : * home_drive : '' logon_server : * logon_server : 'SRV01' last_logon : NTTIME(0) last_logoff : Thu Jan 1 01:00:00 AM 1970 CET acct_expiry : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Mon Sep 7 12:17:41 PM 2015 CEST allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * unix_info: struct auth_user_info_unix unix_name : * unix_name : 'admin' sanitized_username : * sanitized_username : 'admin' torture : NULL credentials : NULL connection_dialect : 0x0000 (0) signing_required : 0x00 (0) encryption_required : 0x00 (0) num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) local_address : 'ipv4: 192.168.0.65:445' remote_address : 'ipv4: 192.168.0.65:46193' remote_name : '192.168.0.65' auth_session_info_seqnum : 0x00000001 (1) status : NT_STATUS_OK idle_time : Wed Sep 9 08:45:05 AM 2015 CEST nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) gensec : * compat : * tcon_table : NULL [2015/09/09 08:45:05.009578, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2661(lp_file_list_changed) lp_file_list_changed() [2015/09/09 08:45:05.009654, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:05.009687, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=274 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51203 smb_tid=0 smb_pid=7861 smb_uid=19869 smb_mid=1 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 186 (0xBA) smb_bcc=231 [2015/09/09 08:45:05.009964, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] A1 81 B7 30 81 B4 A0 03 0A 01 00 A1 0B 06 09 2A ...0.... .......* [0010] 86 48 82 F7 12 01 02 02 A2 81 9F 04 81 9C 60 81 .H...... ......`. [0020] 99 06 09 2A 86 48 86 F7 12 01 02 02 02 00 6F 81 ...*.H.. ......o. [0030] 89 30 81 86 A0 03 02 01 05 A1 03 02 01 0F A2 7A .0...... .......z [0040] 30 78 A0 03 02 01 12 A2 71 04 6F D1 33 EB DE BD 0x...... q.o.3... [0050] 3B A9 99 AC C4 66 CF 15 65 9A 18 1C E6 21 EC 2F ;....f.. e....!./ [0060] 90 6A CD 86 D8 1F A8 71 77 1F A3 E8 5C A7 64 74 .j.....q w...\.dt [0070] D5 A9 7A 24 15 D6 E6 F3 74 69 62 A2 77 52 1F 21 ..z$.... tib.wR.! [0080] 38 96 44 44 AE 7A B6 FB 9F 16 5A B8 65 52 1A 49 8.DD.z.. ..Z.eR.I [0090] E3 96 D5 FA FA 93 66 2A B9 B5 3F ED 9B 02 B2 18 ......f* ..?..... [00A0] 13 97 2E D2 5A 61 F0 E7 D5 5C C6 BA B6 B5 98 6C ....Za.. .\.....l [00B0] 77 4E 4E 67 22 C5 AA 3C E5 A6 00 55 00 6E 00 69 wNNg"..< ...U.n.i [00C0] 00 78 00 00 00 53 00 61 00 6D 00 62 00 61 00 20 .x...S.a .m.b.a. [00D0] 00 34 00 2E 00 31 00 2E 00 31 00 32 00 00 00 49 .4...1.. .1.2...I [00E0] 00 50 00 41 00 00 00 .P.A... ==> /var/log/httpd/error_log <== s4_tevent: Destroying timer event 0x7f8a3c0e51e0 "tevent_req_timedout" gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed s4_tevent: Added timed event "tevent_req_timedout": 0x7f8a3c050de0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:05.013682, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:337(read_smb_length_return_keepalive) got smb length of 122 [2015/09/09 08:45:05.013777, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1800(process_smb) got message type 0x0 of len 0x7a [2015/09/09 08:45:05.013828, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb) Transaction 2 of length 126 (0 toread) [2015/09/09 08:45:05.013909, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:05.013938, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=122 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51203 smb_tid=0 smb_pid=7861 smb_uid=19869 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 12 (0xC) smb_vwv[ 3]= 0 (0x0) smb_bcc=79 [2015/09/09 08:45:05.014359, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 00 5C 00 5C 00 4D 00 4C 00 56 00 2D 00 49 00 50 .\.\.M.L .V.-.I.P [0010] 00 41 00 30 00 31 00 2E 00 49 00 50 00 41 00 2E .A.0.1.. .I.P.A.. [0020] 00 50 00 45 00 44 00 4F 00 4E 00 47 00 52 00 4F .P.E.D.O .N.G.R.O [0030] 00 55 00 50 00 2E 00 43 00 4F 00 4D 00 5C 00 49 .U.P...C .O.M.\.I [0040] 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F 3F 00 .P.C.$.. .?????. [2015/09/09 08:45:05.014578, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message) switch message SMBtconX (pid 11196) conn 0x0 [2015/09/09 08:45:05.014737, 0, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1361(smb_dump) created /tmp/SMBtconX.2.req len 126 [2015/09/09 08:45:05.014869, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.014920, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.014963, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.015031, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.015112, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/reply.c:857(reply_tcon_and_X) Client requested device type [?????] for share [IPC$] [2015/09/09 08:45:05.015254, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:1106(make_connection) making a connection to 'normal' service ipc$ [2015/09/09 08:45:05.015322, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.015382, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_tcon_global.tdb 2: 3: [2015/09/09 08:45:05.015434, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 52933F32 [2015/09/09 08:45:05.015491, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a4ff40 [2015/09/09 08:45:05.015606, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:673(smbXsrv_tcon_global_store) [2015/09/09 08:45:05.015648, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:675(smbXsrv_tcon_global_store) smbXsrv_tcon_global_store: key '52933F32' stored [2015/09/09 08:45:05.015696, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_tcon_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_tcon_globalU(case 0) info0 : * info0: struct smbXsrv_tcon_global0 db_rec : * tcon_global_id : 0x52933f32 (1385381682) tcon_wire_id : 0x0000bab3 (47795) server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST share_name : NULL encryption_required : 0x00 (0) session_global_id : 0x00000000 (0) [2015/09/09 08:45:05.016080, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 52933F32 [2015/09/09 08:45:05.016129, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.016215, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.016265, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:797(smbXsrv_tcon_create) [2015/09/09 08:45:05.016294, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:805(smbXsrv_tcon_create) smbXsrv_tcon_create: global_id (0x52933f32) stored [2015/09/09 08:45:05.016337, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &tcon_blob: struct smbXsrv_tconB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_tconU(case 0) info0 : * info0: struct smbXsrv_tcon table : * db_rec : NULL local_id : 0x0000bab3 (47795) global : * global: struct smbXsrv_tcon_global0 db_rec : NULL tcon_global_id : 0x52933f32 (1385381682) tcon_wire_id : 0x0000bab3 (47795) server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST share_name : NULL encryption_required : 0x00 (0) session_global_id : 0x00000000 (0) status : NT_STATUS_INTERNAL_ERROR idle_time : Wed Sep 9 08:45:05 AM 2015 CEST compat : NULL [2015/09/09 08:45:05.017052, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access) Allowed connection from 192.168.0.65 (192.168.0.65) [2015/09/09 08:45:05.017116, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share IPC$ is ok for unix user admin [2015/09/09 08:45:05.017322, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:163(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2015/09/09 08:45:05.017412, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:612(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2015/09/09 08:45:05.017465, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share IPC$ is ok for unix user admin [2015/09/09 08:45:05.017513, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:284(is_share_read_only_for_token) is_share_read_only_for_user: share IPC$ is read-only for unix user admin [2015/09/09 08:45:05.017593, 10, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:337(se_file_access_check) se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff [2015/09/09 08:45:05.017650, 3, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2015/09/09 08:45:05.017704, 10, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:64(vfs_find_backend_entry) vfs_find_backend_entry called for posixacl [2015/09/09 08:45:05.017749, 5, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:103(smb_register_vfs) Successfully added vfs backend 'posixacl' [2015/09/09 08:45:05.017796, 10, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:64(vfs_find_backend_entry) vfs_find_backend_entry called for /[Default VFS]/ [2015/09/09 08:45:05.017842, 5, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:103(smb_register_vfs) Successfully added vfs backend '/[Default VFS]/' [2015/09/09 08:45:05.017886, 3, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2015/09/09 08:45:05.017932, 10, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:64(vfs_find_backend_entry) vfs_find_backend_entry called for /[Default VFS]/ Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2015/09/09 08:45:05.018017, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:163(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2015/09/09 08:45:05.018070, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share IPC$ is ok for unix user admin [2015/09/09 08:45:05.018117, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:284(is_share_read_only_for_token) is_share_read_only_for_user: share IPC$ is read-only for unix user admin [2015/09/09 08:45:05.018221, 10, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:337(se_file_access_check) se_file_access_check: MAX desired = 0x2000000 mapped to 0x1f01ff [2015/09/09 08:45:05.018331, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.018400, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (7): SID[ 0]: S-1-5-21-2755472311-3010766786-1504281988-500 SID[ 1]: S-1-5-21-2755472311-3010766786-1504281988-512 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-217400000 SID[ 6]: S-1-22-2-217400000 Privileges (0x 0): Rights (0x 0): [2015/09/09 08:45:05.018605, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 217400000 Primary group is 217400000 and contains 1 supplementary groups Group[ 0]: 217400000 [2015/09/09 08:45:05.018698, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(217400000,217400000), gid=(0,217400000) [2015/09/09 08:45:05.018754, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.018801, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.018845, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.018915, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.018972, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:163(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2015/09/09 08:45:05.019047, 10, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/modules/vfs_default.c:164(vfswrap_fs_capabilities) vfswrap_fs_capabilities: timestamp resolution of sec available on share IPC$, directory /tmp [2015/09/09 08:45:05.019101, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:856(make_connection_snum) 192.168.0.65 (ipv4:192.168.0.65:46193) connect to service IPC$ initially as user admin (uid=217400000, gid=217400000) (pid 11196) [2015/09/09 08:45:05.019213, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.019267, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_tcon_global.tdb 2: 3: [2015/09/09 08:45:05.019318, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 52933F32 [2015/09/09 08:45:05.019371, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a82690 [2015/09/09 08:45:05.019433, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:673(smbXsrv_tcon_global_store) [2015/09/09 08:45:05.019466, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:675(smbXsrv_tcon_global_store) smbXsrv_tcon_global_store: key '52933F32' stored [2015/09/09 08:45:05.019512, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_tcon_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000002 (2) info : union smbXsrv_tcon_globalU(case 0) info0 : * info0: struct smbXsrv_tcon_global0 db_rec : * tcon_global_id : 0x52933f32 (1385381682) tcon_wire_id : 0x0000bab3 (47795) server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST share_name : 'IPC$' encryption_required : 0x00 (0) session_global_id : 0x85785d5b (2239257947) [2015/09/09 08:45:05.019904, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 52933F32 [2015/09/09 08:45:05.019955, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.019999, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.020047, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:850(smbXsrv_tcon_update) [2015/09/09 08:45:05.020075, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/smbXsrv_tcon.c:858(smbXsrv_tcon_update) smbXsrv_tcon_update: global_id (0x52933f32) stored [2015/09/09 08:45:05.020118, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &tcon_blob: struct smbXsrv_tconB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_tconU(case 0) info0 : * info0: struct smbXsrv_tcon table : * db_rec : NULL local_id : 0x0000bab3 (47795) global : * global: struct smbXsrv_tcon_global0 db_rec : NULL tcon_global_id : 0x52933f32 (1385381682) tcon_wire_id : 0x0000bab3 (47795) server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) creation_time : Wed Sep 9 08:45:05 AM 2015 CEST share_name : 'IPC$' encryption_required : 0x00 (0) session_global_id : 0x85785d5b (2239257947) status : NT_STATUS_OK idle_time : Wed Sep 9 08:45:05 AM 2015 CEST compat : * [2015/09/09 08:45:05.020691, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/reply.c:1024(reply_tcon_and_X) tconX service=IPC$ [2015/09/09 08:45:05.020739, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:05.020767, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51203 smb_tid=47795 smb_pid=7861 smb_uid=19869 smb_mid=2 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 33 (0x21) smb_vwv[ 3]= 511 (0x1FF) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 511 (0x1FF) smb_vwv[ 6]= 0 (0x0) smb_bcc=7 [2015/09/09 08:45:05.021090, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 49 50 43 00 00 00 00 IPC.... ==> /var/log/httpd/error_log <== s4_tevent: Destroying timer event 0x7f8a3c050de0 "tevent_req_timedout" s4_tevent: Added timed event "tevent_req_timedout": 0x7f8a3c4c9190 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f8a3c0c61c0 ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:05.025008, 10, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:337(read_smb_length_return_keepalive) got smb length of 100 [2015/09/09 08:45:05.025142, 6, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1800(process_smb) got message type 0x0 of len 0x64 [2015/09/09 08:45:05.025251, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb) Transaction 3 of length 104 (0 toread) [2015/09/09 08:45:05.025366, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:05.025411, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/util.c:178(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51203 smb_tid=47795 smb_pid=7861 smb_uid=19869 smb_mid=3 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 4864 (0x1300) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_bcc=17 [2015/09/09 08:45:05.026116, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/util.c:556(dump_data) [0000] 00 5C 00 6C 00 73 00 61 00 72 00 70 00 63 00 00 .\.l.s.a .r.p.c.. [0010] 00 . [2015/09/09 08:45:05.026263, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message) switch message SMBntcreateX (pid 11196) conn 0x7f7118a8e4f0 [2015/09/09 08:45:05.026469, 0, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1361(smb_dump) created /tmp/SMBntcreateX.2.req len 104 [2015/09/09 08:45:05.026582, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.026635, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (7): SID[ 0]: S-1-5-21-2755472311-3010766786-1504281988-500 SID[ 1]: S-1-5-21-2755472311-3010766786-1504281988-512 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-217400000 SID[ 6]: S-1-22-2-217400000 Privileges (0x 0): Rights (0x 0): [2015/09/09 08:45:05.026840, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 217400000 Primary group is 217400000 and contains 1 supplementary groups Group[ 0]: 217400000 [2015/09/09 08:45:05.026932, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(217400000,217400000), gid=(0,217400000) [2015/09/09 08:45:05.026990, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0), class=vfs] ../source3/smbd/vfs.c:838(vfs_ChDir) vfs_ChDir to /tmp [2015/09/09 08:45:05.027067, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0), class=vfs] ../source3/smbd/vfs.c:849(vfs_ChDir) vfs_ChDir got /tmp [2015/09/09 08:45:05.027128, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/nttrans.c:503(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x0, access_mask = 0x20113 file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = lsarpc [2015/09/09 08:45:05.027232, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \lsarpc. [2015/09/09 08:45:05.027297, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb [2015/09/09 08:45:05.027358, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_open_global.tdb 2: 3: [2015/09/09 08:45:05.027411, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 37EAEB59 [2015/09/09 08:45:05.027466, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a7b280 [2015/09/09 08:45:05.027618, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/smbXsrv_open.c:696(smbXsrv_open_global_store) [2015/09/09 08:45:05.027666, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/smbXsrv_open.c:698(smbXsrv_open_global_store) smbXsrv_open_global_store: key '37EAEB59' stored [2015/09/09 08:45:05.027715, 1, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &global_blob: struct smbXsrv_open_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_open_globalU(case 0) info0 : * info0: struct smbXsrv_open_global0 db_rec : * server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) open_global_id : 0x37eaeb59 (938142553) open_persistent_id : 0x0000000037eaeb59 (938142553) open_volatile_id : 0x00000000000084d5 (34005) open_owner : S-1-5-21-2755472311-3010766786-1504281988-500 open_time : Wed Sep 9 08:45:05 AM 2015 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 [2015/09/09 08:45:05.028267, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 37EAEB59 [2015/09/09 08:45:05.028320, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb [2015/09/09 08:45:05.028366, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.028414, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/smbXsrv_open.c:863(smbXsrv_open_create) [2015/09/09 08:45:05.028443, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/smbXsrv_open.c:871(smbXsrv_open_create) smbXsrv_open_create: global_id (0x37eaeb59) stored [2015/09/09 08:45:05.028486, 1, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &open_blob: struct smbXsrv_openB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_openU(case 0) info0 : * info0: struct smbXsrv_open table : * db_rec : NULL local_id : 0x000084d5 (34005) global : * global: struct smbXsrv_open_global0 db_rec : NULL server_id: struct server_id pid : 0x0000000000002bbc (11196) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbf238af92a5d8fc8 (-4673739185518178360) open_global_id : 0x37eaeb59 (938142553) open_persistent_id : 0x0000000037eaeb59 (938142553) open_volatile_id : 0x00000000000084d5 (34005) open_owner : S-1-5-21-2755472311-3010766786-1504281988-500 open_time : Wed Sep 9 08:45:05 AM 2015 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 status : NT_STATUS_OK idle_time : Wed Sep 9 08:45:05 AM 2015 CEST compat : NULL [2015/09/09 08:45:05.029189, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 34005 (1 used) [2015/09/09 08:45:05.029265, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/files.c:716(file_name_hash) file_name_hash: /tmp/lsarpc hash 0xa9e2e929 [2015/09/09 08:45:05.029404, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(217400000, 217400000) : sec_ctx_stack_ndx = 1 [2015/09/09 08:45:05.029467, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(19869) : conn_ctx_stack_ndx = 0 [2015/09/09 08:45:05.029515, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2015/09/09 08:45:05.029559, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.029602, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.029701, 10, pid=11196, effective(0, 0), real(0, 0)] ../libcli/named_pipe_auth/npa_tstream.c:149(tstream_npa_connect_send) [2015/09/09 08:45:05.029739, 1, pid=11196, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug) &state->auth_req: struct named_pipe_auth_req length : 0x00000000 (0) magic : NULL level : 0x00000004 (4) info : union named_pipe_auth_req_info(case 4) info4: struct named_pipe_auth_req_info4 client_name : * client_name : '192.168.0.65' client_addr : * client_addr : '192.168.0.65' client_port : 0xb471 (46193) server_name : * server_name : '192.168.0.65' server_addr : * server_addr : '192.168.0.65' server_port : 0x01bd (445) session_info : * session_info: struct auth_session_info_transport session_info : * session_info: struct auth_session_info security_token : * security_token: struct security_token num_sids : 0x00000007 (7) sids: ARRAY(7) sids : S-1-5-21-2755472311-3010766786-1504281988-500 sids : S-1-5-21-2755472311-3010766786-1504281988-512 sids : S-1-1-0 sids : S-1-5-2 sids : S-1-5-11 sids : S-1-22-1-217400000 sids : S-1-22-2-217400000 privilege_mask : 0x0000000000000000 (0) 0: SEC_PRIV_MACHINE_ACCOUNT_BIT 0: SEC_PRIV_PRINT_OPERATOR_BIT 0: SEC_PRIV_ADD_USERS_BIT 0: SEC_PRIV_DISK_OPERATOR_BIT 0: SEC_PRIV_REMOTE_SHUTDOWN_BIT 0: SEC_PRIV_BACKUP_BIT 0: SEC_PRIV_RESTORE_BIT 0: SEC_PRIV_TAKE_OWNERSHIP_BIT 0: SEC_PRIV_INCREASE_QUOTA_BIT 0: SEC_PRIV_SECURITY_BIT 0: SEC_PRIV_LOAD_DRIVER_BIT 0: SEC_PRIV_SYSTEM_PROFILE_BIT 0: SEC_PRIV_SYSTEMTIME_BIT 0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT 0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT 0: SEC_PRIV_CREATE_PAGEFILE_BIT 0: SEC_PRIV_SHUTDOWN_BIT 0: SEC_PRIV_DEBUG_BIT 0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT 0: SEC_PRIV_CHANGE_NOTIFY_BIT 0: SEC_PRIV_UNDOCK_BIT 0: SEC_PRIV_ENABLE_DELEGATION_BIT 0: SEC_PRIV_MANAGE_VOLUME_BIT 0: SEC_PRIV_IMPERSONATE_BIT 0: SEC_PRIV_CREATE_GLOBAL_BIT rights_mask : 0x00000000 (0) 0: LSA_POLICY_MODE_INTERACTIVE 0: LSA_POLICY_MODE_NETWORK 0: LSA_POLICY_MODE_BATCH 0: LSA_POLICY_MODE_SERVICE 0: LSA_POLICY_MODE_PROXY 0: LSA_POLICY_MODE_DENY_INTERACTIVE 0: LSA_POLICY_MODE_DENY_NETWORK 0: LSA_POLICY_MODE_DENY_BATCH 0: LSA_POLICY_MODE_DENY_SERVICE 0: LSA_POLICY_MODE_REMOTE_INTERACTIVE 0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE 0x00: LSA_POLICY_MODE_ALL (0) 0x00: LSA_POLICY_MODE_ALL_NT4 (0) unix_token : * unix_token: struct security_unix_token uid : 0x000000000cf542c0 (217400000) gid : 0x000000000cf542c0 (217400000) ngroups : 0x00000001 (1) groups: ARRAY(1) groups : 0x000000000cf542c0 (217400000) info : * info: struct auth_user_info account_name : * account_name : 'admin' domain_name : * domain_name : 'IPA' full_name : * full_name : 'Administrator' logon_script : * logon_script : '' profile_path : * profile_path : '' home_directory : * home_directory : '' home_drive : * home_drive : '' logon_server : * logon_server : 'SRV01' last_logon : NTTIME(0) last_logoff : Thu Jan 1 01:00:00 AM 1970 CET acct_expiry : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Mon Sep 7 12:17:41 PM 2015 CEST allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * unix_info: struct auth_user_info_unix unix_name : * unix_name : 'admin' sanitized_username : * sanitized_username : 'admin' torture : NULL credentials : NULL [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, 217400000), real(217400000, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory [2015/09/09 08:45:05.032499, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/pipes.c:74(open_np_file) np_open(lsarpc) returned NT_STATUS_OBJECT_NAME_NOT_FOUND [2015/09/09 08:45:05.032550, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb [2015/09/09 08:45:05.032597, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_open_global.tdb 2: 3: [2015/09/09 08:45:05.032647, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 37EAEB59 [2015/09/09 08:45:05.032702, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a81120 [2015/09/09 08:45:05.032763, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 37EAEB59 [2015/09/09 08:45:05.032811, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb [2015/09/09 08:45:05.032872, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.032962, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/files.c:528(file_free) freed files structure 34005 (0 used) [2015/09/09 08:45:05.033040, 3, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/nttrans.c(299) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND [2015/09/09 08:45:05.033094, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/lib/util.c:168(show_msg) [2015/09/09 08:45:05.033123, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/lib/util.c:178(show_msg) size=35 smb_com=0xa2 smb_rcls=52 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51203 smb_tid=47795 smb_pid=7861 smb_uid=19869 smb_mid=3 smt_wct=0 smb_bcc=0 [2015/09/09 08:45:05.033378, 10, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../lib/util/util.c:556(dump_data) ==> /var/log/httpd/error_log <== s4_tevent: Destroying timer event 0x7f8a3c4c9190 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7f8a3c224990 "dcerpc_connect_timeout_handler" [Wed Sep 09 08:45:05.035958 2015] [:error] [pid 7861] ipa: INFO: [jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): NotFound ==> /var/log/samba/log.192.168.0.65 <== [2015/09/09 08:45:05.048536, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/lib/util_sock.c:137(read_fd_with_timeout) read_fd_with_timeout: blocking read. EOF from client. [2015/09/09 08:45:05.048658, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/process.c:487(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:192.168.0.65:46193 read error = NT_STATUS_END_OF_FILE. [2015/09/09 08:45:05.048735, 4, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.048784, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.048829, 5, pid=11196, effective(217400000, 217400000), real(217400000, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.048917, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.048977, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.049024, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_tcon_global.tdb 2: 3: [2015/09/09 08:45:05.049074, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 52933F32 [2015/09/09 08:45:05.049129, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a8c250 [2015/09/09 08:45:05.049241, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 52933F32 [2015/09/09 08:45:05.049296, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_tcon_global.tdb [2015/09/09 08:45:05.049340, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.049392, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.049438, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.049481, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.049546, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.049593, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:1130(close_cnum) 192.168.0.65 (ipv4:192.168.0.65:46193) closed connection to service IPC$ [2015/09/09 08:45:05.049695, 4, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:838(vfs_ChDir) vfs_ChDir to / [2015/09/09 08:45:05.049763, 4, pid=11196, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:849(vfs_ChDir) vfs_ChDir got / [2015/09/09 08:45:05.049814, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.049860, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.049903, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.049968, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.050029, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/smbXsrv_session_global.tdb [2015/09/09 08:45:05.050078, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/lib/samba/smbXsrv_session_global.tdb 2: 3: [2015/09/09 08:45:05.050126, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 85785D5B [2015/09/09 08:45:05.050222, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a8c660 [2015/09/09 08:45:05.050295, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 85785D5B [2015/09/09 08:45:05.050358, 5, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/smbXsrv_session_global.tdb [2015/09/09 08:45:05.050405, 10, pid=11196, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2015/09/09 08:45:05.050458, 4, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.050504, 5, pid=11196, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2015/09/09 08:45:05.050547, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:629(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2015/09/09 08:45:05.050612, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2015/09/09 08:45:05.051249, 5, pid=11196, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:340(messaging_deregister) Deregistering messaging pointer for type 1536 - private_data=0x7f7118a777e0 [2015/09/09 08:45:05.051396, 3, pid=11196, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:221(exit_server_common) Server exit (failed to receive smb request) ==> /var/log/samba/log.winbindd <== [2015/09/09 08:45:05.106031, 6, pid=10537, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(winbind_client_request_read) closing socket 26, client exited ==> /var/log/samba/log.smbd <== [2015/09/09 08:45:05.106446, 5, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:05.106548, 10, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2:/var/lib/samba/serverid.tdb 3: [2015/09/09 08:45:05.106609, 10, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:05.106671, 10, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f7118a50b20 [2015/09/09 08:45:05.106750, 10, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key BC2B000000000000FFFFFFFF [2015/09/09 08:45:05.106803, 5, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 2 for /var/lib/samba/serverid.tdb [2015/09/09 08:45:05.106865, 10, pid=10536, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: ------------------------------------------------------------------- Let me know, thanks for your support. Bye, Morgan 2015-09-08 18:39 GMT+02:00 Alexander Bokovoy : > On Tue, 08 Sep 2015, Morgan Marodin wrote: > >> Also doing trust manually (as explained here >> http://www.freeipa.org/page/Active_Directory_trust_setup) the command >> fail >> in the same mode: >> # ipa trust-add --type=ad MYDOMAIN.COM --trust-secret >> Shared secret for the trust: >> ipa: ERROR: Cannot find specified domain or server name >> >> ==> /var/log/httpd/access_log <== >> 192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json >> HTTP/1.1" 200 185 >> >> ==> /var/log/httpd/error_log <== >> [Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO: >> [jsonserver_session] admin at IPA.MYDOMAIN.COM: trust_add(u'MYDOMAIN.COM', >> trust_type=u'ad', trust_secret=u'********', all=False, raw=False, >> version=u'2.112'): NotFound >> > Enable debugging as instructed on the page you refer above, and provide > me with the output as the pages tells you. > > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Sep 9 08:58:25 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 9 Sep 2015 08:58:25 +0000 Subject: [Freeipa-users] hp-ux and IPA Message-ID: Hello. Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users from AD via IPA-AD trusts, or such way only work for systems with sssd? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbischof at hrz.uni-kassel.de Wed Sep 9 09:12:31 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Wed, 9 Sep 2015 11:12:31 +0200 (CEST) Subject: [Freeipa-users] svnserve authentication against IPA In-Reply-To: <558EE186.2070106@redhat.com> References: <558EE186.2070106@redhat.com> Message-ID: Hi, On Sat, 27 Jun 2015, Dmitri Pal wrote: > On 06/18/2015 05:09 AM, dbischof at hrz.uni-kassel.de wrote: >> >> I have a svnserve (Subversion 1.6.11) running on my IPA server. Currently, >> there's a separate user database with SASL auth: >> >> /etc/sasl2/svn.conf >> --- >> pwcheck_method: auxprop >> auxprop_plugin: sasldb >> sasldb_path: /etc/sasldb2 >> mech_list: DIGEST-MD5 >> --- >> >> XXX/testrepo/conf/svnserve.conf >> --- >> [general] >> anon-access = none >> authz-db = authz >> realm = MYSUBDOMAIN.MYUNIVERSITY.DE >> [sasl] >> use-sasl = true >> min-encryption = 128 >> max-encryption = 256 >> --- >> >> On a test system, I changed svnserve auth to saslauthd and IPA: >> >> /etc/sasl2/svn.conf >> --- >> pwcheck_method: saslauthd >> auxprop_plugin: ldap >> mech_list: PLAIN >> ldapdb_mech: PLAIN >> --- >> >> XXX/testrepo/conf/svnserve.conf >> --- >> [general] >> anon-access = none >> authz-db = authz >> realm = MYSUBDOMAIN.MYUNIVERSITY.DE >> [sasl] >> use-sasl = true >> min-encryption = 0 >> max-encryption = 256 >> --- >> >> /etc/saslauthd.conf >> --- >> ldap_servers: ldaps://localhost/ >> ldap_search_base: cn=users,cn=accounts,dc=MYSUBDOMAIN,dc=MYUNIVERSITY,dc=DE >> --- >> >> Though this setup basically works and svnserve and IPA are running on >> the same machine I'm unhappy with PLAIN and "min-encryption = 0". >> >> What would you suggest to improve security/enable encryption in this >> setup? I considered switching from svnserve to Apache, but that would >> imply that my users will have to get used to something new. >> > It seems that no one on the list knows details about svn configuration so if > you figure it out please share the results with the list. > > -- > Thank you, > Dmitri Pal for the record: In the meantime, I've abandoned svnserve in favour of apache. It's more complicated to set up but also more flexible. In order to make it work with IPA, one needs (something similar to) the following included the apache configuration: --- LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so RedirectMatch ^(/svn)$ $1/ RedirectPermanent /svn/ /home/svn/ DAV svn SVNParentPath /home/svn SVNListParentPath On SVNAutoversioning On SVNReposName "example.com SVN Repositories" SVNPathAuthz short_circuit AuthType Basic AuthName "example.com SVN Repositories" AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPBindDN "uid=sysadev,CN=users,CN=accounts,DC=example,DC=com" AuthLDAPBindPassword XXXXXXXXXX AuthLDAPURL "ldaps://ipa.example.com/CN=users,CN=accounts,DC=example,DC=com?uid,nsAccountLock?sub?(ObjectClass=*)" Require ldap-attribute nsAccountLock!="true" Require valid-user AuthzSVNAccessFile /etc/subversion/svn.acl Options +Indexes +FollowSymLinks AllowOverride All Order Allow,Deny Allow from all --- I think this is more flexible and more secure than my svnserve approach. Remarks: 1. "sysadev" is the username that I use for LDAP binding (an IPA user with a long-term password, no home directory and /sbin/nologin as login shell). 2. "/etc/subversion/svn.acl" contains the access rights for the individual SVN repos. It is similar to the "authz" files that svnserve uses. 3. apache is HTTPS-only. Mit freundlichen Gruessen/With best regards, --Daniel. From baghery.jone at gmail.com Wed Sep 9 10:47:25 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Wed, 9 Sep 2015 15:17:25 +0430 Subject: [Freeipa-users] problem in ipa trust with AD Message-ID: hi i install centos 6.7 trust with Windows 2008 r2 (User AD can not Login) and get log in IPA SERVER file: /var/log/krb5kdc.log domain IPA: l.infotechpsp.net ++++++++++++++ Sep 09 15:09:20 ipareplica.l.infotechpsp.net krb5kdc[1518](info): AS_REQ (4 etypes {18 17 16 23}) 10.30.120.20: NEEDED_PREAUTH: host/ ussddm.l.infotechpsp.net at L.INFOTECHPSP.NET for krbtgt/ L.INFOTECHPSP.NET at L.INFOTECHPSP.NET, Additional pre-authentication required ++++++++ IS it correct? l.infotechpsp.net at l.infotechpsp.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 9 14:01:46 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Sep 2015 17:01:46 +0300 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> Message-ID: <20150909112445.GB22106@redhat.com> On Wed, 09 Sep 2015, Morgan Marodin wrote: >Hi Alexander. > >Ok, after enabling debugging I have these logs: >------------------------------------------------------------------- >==> /var/log/httpd/error_log <== >INFO: Current debug levels: > all: 100 > tdb: 100 > printdrivers: 100 > lanman: 100 > smb: 100 > rpc_parse: 100 > rpc_srv: 100 > rpc_cli: 100 > passdb: 100 > sam: 100 > auth: 100 > winbind: 100 > vfs: 100 > idmap: 100 > quota: 100 > acls: 100 > locking: 100 > msdfs: 100 > dmapi: 100 > registry: 100 > scavenger: 100 > dns: 100 > ldb: 100 >pm_process() returned Yes >GENSEC backend 'gssapi_spnego' registered >GENSEC backend 'gssapi_krb5' registered >GENSEC backend 'gssapi_krb5_sasl' registered >GENSEC backend 'sasl-DIGEST-MD5' registered >GENSEC backend 'spnego' registered >GENSEC backend 'schannel' registered >GENSEC backend 'sasl-EXTERNAL' registered >GENSEC backend 'ntlmssp' registered >Using binding ncacn_np:srv01.ipa.mydomain.com[,] >s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >0x7f8a3c224990 >s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >Mapped to DCERPC endpoint \pipe\lsarpc >added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >netmask=255.255.255.0 >added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >netmask=255.255.255.0 Do you have IPv6 stack enabled? >[2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >../lib/util/tevent_debug.c:63(samba_tevent_debug) > s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 >[2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] >../lib/util/tevent_debug.c:63(samba_tevent_debug) > s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >[2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, >217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) > pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 >[2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, >217400000), real(217400000, 0), class=rpc_srv] >../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) > tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy From abokovoy at redhat.com Wed Sep 9 14:06:50 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Sep 2015 17:06:50 +0300 Subject: [Freeipa-users] hp-ux and IPA In-Reply-To: References: Message-ID: <20150909140650.GC22106@redhat.com> On Wed, 09 Sep 2015, Alexander Frolushkin wrote: >Hello. >Is it possible to use IPA with HP-UX servers (ldapux) to authenticate >users from AD via IPA-AD trusts, or such way only work for systems with >sssd? I suspect you need to test it -- set it up like against Netscape/iPlanet directory server and use 'ipa-advise' recipes for FreeBSD or generic Linux versions to get proper base DNs/attributes/objectclasses. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Sep 9 14:22:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Sep 2015 17:22:32 +0300 Subject: [Freeipa-users] problem in ipa trust with AD In-Reply-To: References: Message-ID: <20150909142232.GD22106@redhat.com> On Wed, 09 Sep 2015, alireza baghery wrote: >hi >i install centos 6.7 trust with Windows 2008 r2 (User AD can not Login) >and get log in IPA SERVER file: /var/log/krb5kdc.log >domain IPA: l.infotechpsp.net > >++++++++++++++ >Sep 09 15:09:20 ipareplica.l.infotechpsp.net krb5kdc[1518](info): AS_REQ (4 >etypes {18 17 16 23}) 10.30.120.20: NEEDED_PREAUTH: host/ >ussddm.l.infotechpsp.net at L.INFOTECHPSP.NET for krbtgt/ >L.INFOTECHPSP.NET at L.INFOTECHPSP.NET, Additional pre-authentication required >++++++++ >IS it correct? l.infotechpsp.net at l.infotechpsp.net I don't understand what you are trying to say. NEEDED_PREAUTH is normal. Use CentOS 7.x if you want to have trust with Active Directory. Server code for trusts was a tech preview in RHEL 6.x. Follow http://www.freeipa.org/page/Active_Directory_trust_setup and debugging chapter in it for debugging. Also use https://fedorahosted.org/sssd/wiki/Troubleshooting for debugging SSSD-related issues, if any. Right now you did not provide any information. And really, move to a newer CentOS 7 version. -- / Alexander Bokovoy From pspacek at redhat.com Wed Sep 9 16:12:07 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 9 Sep 2015 18:12:07 +0200 Subject: [Freeipa-users] certificate add subject alt Name In-Reply-To: <3880303.smKUlFW0em@techz> References: <3880303.smKUlFW0em@techz> Message-ID: <55F05A57.8000907@redhat.com> On 5.9.2015 12:48, G?nther J. Niederwimmer wrote: > Hello, > > System CentOS 7. > > is it possible to change a certificate to add a subject alt name? > > My "Problem" is, I have a Mail Server with name smtp.example.com and the > correct service certificates smtp/smtp.example.com & imap/example.com now I > make in my DNS Server (is a external system) a new Record "imap IN CNAME smtp" > but this is now missing in the certificate? > > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I don?t > have a host/imap.example.com. I'm sorry but I do not see how this is related to DNS. It might not be related to IPA at all. IPA only issues the cert. If the cert contains both subjectAltNames then the problem is likely in your DNS configuration or in configuration on the application server side (where you installed the cert). Unfortunately I'm not able to tell you more without more details - what application you use, what versions, how did you it configured, etc. -- Petr^2 Spacek From pspacek at redhat.com Wed Sep 9 16:15:30 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 9 Sep 2015 18:15:30 +0200 Subject: [Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success In-Reply-To: <20150909050931.GA22106@redhat.com> References: <848E0F24-4219-4D27-B318-BDC537D752E4@keates.nl> <20150909050931.GA22106@redhat.com> Message-ID: <55F05B22.50307@redhat.com> On 9.9.2015 07:09, Alexander Bokovoy wrote: > On Wed, 09 Sep 2015, John Keates wrote: >> So I was having a DNS mess the other day and decided to clean it up. >> Before, I was running Unbound on pfSense which then had a domain >> override to the IPA box. It would forward all queries and IPA-wise all >> was well. Problem was that the domain was also used for a bunch of >> other things, like the outside world, and DHCP leases, because I want >> to be able to FQDN my machines and VM?s. >> >> At first, I thought I could somehow make a weird multi-master setup, or >> have Unbound rewrite queries or selectively forward or ignore the >> authoritative status of DNS servers, but that?s a rather nasty hackish >> way to attempt to fix things, so I went for the option to have DHCPd >> feed it?s leases and updates to BIND, and make Unbound the 2nd DNS >> server in case of an IPA meltdown. >> >> This turned out to be not-so-easy as you can?t use GSSAPI on the >> pfSense box and the IPA interface doesn?t allow you to create keys just >> like that. Solution? Manual edits! Now, I?m not sure if they will be >> preserved, but since I was using SaltStack to manage pretty much >> everything config-wise, I just make sure it keeps my settings around. >> >> Here is how to configure things: >> >> BIND-side: >> >> 1. Open /etc/named.conf in a root editor >> 2. Insert a key like this: >> >> key "dhcp-key" { >> algorithm hmac-md5; >> secret ?base64_string_here="; >> }; >> >> Where the string ?dhcp-key? can be anything, but you should remember >> what you put in there. The Secret is a base64 string, if you are >> slightly clueless about that, use: echo ?yoursecrethere? | base64 >> and you will get your base64 string. Stick it in between the quotes and >> you?re good. >> >> 3. Next, log in to the IPA UI and go to the Zone you?d like to have DHCP >> dynamically push to. >> 4. Click settings and turn on ?Dynamic update? if it?s not on already >> 5. Add an update policy, in this format: >> >> grant dhcp-key wildcard * ANY; >> >> This is rather insecure as you give anything that authenticates using >> the key called ?dhcp-key? full update rights for all types on that >> zone. So if you want to restrict it, do so as you please. I believe it >> at least wants A and AAAA records and probably TXT. >> >> 6. Click the update button and you are all set on this end. Note: if >> you want to have reverse lookups as well, you have to repeat step 5 for >> the reverse zone too! >> >> pfSense-side: >> >> 1. In pfSense, go to the DHCP server page >> 2. Enable "Enable registration of DHCP client names in DNS.? >> 3. Enter the domain name of the zone you configured in IPA for dynamic updates >> 4. Enter the required fields (IP of the IPA server, the name (which is >> dhcp-key in this example) and the base64 string you generated >> 5. Press save and you?re good! >> >> A few extra?s: >> >> - You could add IPA as an NTP server here as well >> - You should add the IPA server as the 1st DNS server >> - You can add pfSense as the 2nd DNS server if you like >> >> Please remember that at this point no DNS-related stuff on pfSense is >> used anymore as all clients will talk to IPA for their DNS needs from >> now on. If all you need is the one domain name, for example, if you >> use a unique domain just for internal IPA use, you?re better off using >> the domain override. >> >> I hope this helps someone, and might work as a basis for more robust >> and secure configuration, as this is something I just came up with >> today in a test environment. > This looks reasonable. You may want to put your key definition into something > like > /etc/named/my-dhcp-keys.conf and include it from there via 'include' > statements but I think we don't upgrade named.conf after it was > originally created. > > John, could you please add this to FreeIPA wiki? BTW it is already documented here: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG Have a nice day! :-) -- Petr^2 Spacek From pvoborni at redhat.com Wed Sep 9 16:18:30 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 9 Sep 2015 18:18:30 +0200 Subject: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment In-Reply-To: <55EB3E8A.8000207@iisg.agh.edu.pl> References: <55DE813E.8010505@iisg.agh.edu.pl> <55E58BAC.7090202@redhat.com> <55EB3E8A.8000207@iisg.agh.edu.pl> Message-ID: <55F05BD6.30401@redhat.com> On 09/05/2015 09:12 PM, Mateusz Ma?ek wrote: > > > W dniu 01.09.2015 o 13:27, Petr Vobornik pisze: >> On 08/27/2015 05:17 AM, Mateusz Ma?ek wrote: >>> We're trying to adjust FreeIPA to our environment... quite a bit. Here >>> are some bullet points: >>> >>> (...) >>> >>> For points 3, 5, 6 and to limit available choices in 2, we need to plug >>> into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ >>> provided us with some basic info how to write plugins. >> >> Glad to read that the plugin support is used. Especially in this scale. >> >> I'd like to ask you for a feedback. What are the main things that >> would make extending IPA easier for you? > Thank you for the feedback. > I think that some Web UI documentation is needed - some kind of index of > available widgets (their names, parameters, some usage examples for more > complex widgets like entity_select), dialog windows and facets (like > search), examples for various things like how to add new batch actions > (with a new button at the top of search view) or to make layout and > contents of facets/dialog boxes dependent on which user is using Web UI > (like self-service differs from admin view). Yeah, this needs more love. Web UI has a documentation generated from comments but a lot of code is not commented/documented and examples are still missing. https://pvoborni.fedorapeople.org/doc/#!/api > > UI seems extremely extensible and probably many "examples" of how to do > different things are already there, but it takes some time to find which > part of UI uses them and can be copied to custom module (or adjusted in > some other way). > > Do you have some tips on how to setup programming environment for UI > development? only https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging > >>> However, I face some issues when I register my module under different >>> entity name instead of overriding user (I want to keep original user >>> module available) >> >> Just curious, why do you want to keep the original user entity object? > > Maybe not necessarily to keep original entity object, but to manage the > same object using two different UI plugins (keeping original module > available was quick test of such scenario). We have sysadmins - who can > modify all user details - and user administrator - who needs really > simple interface for creating new accounts and prolonging validity of > existing. Maybe a plugin can switch the entity in registry according to user role after the role is known - as in this plugin: https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js User data should be in `IPA.whoami` > >> >>> It seems that check if (that.entity !== that.managed_entity) in >>> freeipa/search.js fails (condition is true), which causes >>> managed_entity_pkey_prefix function to return [""] instead of [] - >>> object inspection shows both entity and managed_entity refer to user >>> entity, but probably these are two different JS objects (and thats why >>> they are considered different). Am I doing something wrong or is it some >>> bug? >> >> There is no claim that it should work so I would say that it is a >> limitation of original design and unfinished refactoring than a bug. >> The code can be improved to support multiple entity objects for the >> same IPA object but I'm worried that it can break something else. >> >> Maybe simple comparison by an entity name would help. > > Oh, I see. I'll probably try to find other way around, as I'm a bit > short on time. Extending FreeIPA is part of my engineering thesis, but > at the same time I'm applying my changes to our CentOS-based production > environment - that's why I'm trying to keep existing codebase intact > (and it would take some time before any changes make their way to > packages in RHEL repositories). It can be patch in a plugin, but it's not nice. Example: https://pvoborni.fedorapeople.org/plugins/association_search_fix/association_search_fix.js > > Thanks, > > Mateusz Ma?ek -- Petr Vobornik From morgan at marodin.it Wed Sep 9 16:22:37 2015 From: morgan at marodin.it (Morgan Marodin) Date: Wed, 9 Sep 2015 18:22:37 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150909112445.GB22106@redhat.com> References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> <20150909112445.GB22106@redhat.com> Message-ID: Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. I've installed bind in IPA that contains only ipa.mydomain.com zone. In AD servers is configured mydomain.com zone, with ipa.mydomain.com delegation to linux server (192.168.0.65). Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander. >> >> Ok, after enabling debugging I have these logs: >> ------------------------------------------------------------------- >> ==> /var/log/httpd/error_log <== >> INFO: Current debug levels: >> all: 100 >> tdb: 100 >> printdrivers: 100 >> lanman: 100 >> smb: 100 >> rpc_parse: 100 >> rpc_srv: 100 >> rpc_cli: 100 >> passdb: 100 >> sam: 100 >> auth: 100 >> winbind: 100 >> vfs: 100 >> idmap: 100 >> quota: 100 >> acls: 100 >> locking: 100 >> msdfs: 100 >> dmapi: 100 >> registry: 100 >> scavenger: 100 >> dns: 100 >> ldb: 100 >> pm_process() returned Yes >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'sasl-DIGEST-MD5' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >> 0x7f8a3c224990 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >> Mapped to DCERPC endpoint \pipe\lsarpc >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> > Do you have IPv6 stack enabled? > > [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, >> 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >> pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 >> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, >> 217400000), real(217400000, 0), class=rpc_srv] >> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >> user IPA\admin failed: No such file or directory >> > I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe > has to be there. > > Can you explain what is your setup in detail? > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Thomas.Suiter at proquest.com Wed Sep 9 16:32:53 2015 From: Thomas.Suiter at proquest.com (Thomas Suiter) Date: Wed, 9 Sep 2015 16:32:53 +0000 Subject: [Freeipa-users] Add objectclasses to computer schema Message-ID: Is there an equivalent host/computer default objectclasses that there is for ipa config-mod -groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I'm able to add the object class to individual servers but not sure on the procedure so that all new servers automatically get the additional objectclasses when they are enrolled without having to manually add it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 9 16:53:54 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Sep 2015 19:53:54 +0300 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> <20150909112445.GB22106@redhat.com> Message-ID: <20150909165354.GE22106@redhat.com> On Wed, 09 Sep 2015, Morgan Marodin wrote: >Hi Alexander > >IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my >WIndows 2012. >I have read in a freeipa article to disable IPv6. Sorry, and why you did decide to disable IPv6 stack? FreeIPA article explicitly talks about not disabling IPv6. Samba and FreeIPA LDAP code require working IPv6 stack on the machine. You can have a system without IPv6 addresses but do not disable the infrastructure. All contemporary networking applications are written with the idea that you can use IPv6-only functions and work on both IPv4 and IPv6 at the same time. See ipv6(7) manual page: ---- IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program needs to support only this API type to support both protocols. This is handled transparently by the address handling functions in the C library. IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6. ---- >I've 2 Domain Controller with Windows Server 2012 and (at this time) one >new freeipa server, just installed, in the same network. >AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >I've installed bind in IPA that contains only ipa.mydomain.com zone. >In AD servers is configured mydomain.com zone, with ipa.mydomain.com >delegation to linux server (192.168.0.65). >Do you have other question of my setup? >Let me know, thanks. >Morgan > > >2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : > >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >> >>> Hi Alexander. >>> >>> Ok, after enabling debugging I have these logs: >>> ------------------------------------------------------------------- >>> ==> /var/log/httpd/error_log <== >>> INFO: Current debug levels: >>> all: 100 >>> tdb: 100 >>> printdrivers: 100 >>> lanman: 100 >>> smb: 100 >>> rpc_parse: 100 >>> rpc_srv: 100 >>> rpc_cli: 100 >>> passdb: 100 >>> sam: 100 >>> auth: 100 >>> winbind: 100 >>> vfs: 100 >>> idmap: 100 >>> quota: 100 >>> acls: 100 >>> locking: 100 >>> msdfs: 100 >>> dmapi: 100 >>> registry: 100 >>> scavenger: 100 >>> dns: 100 >>> ldb: 100 >>> pm_process() returned Yes >>> GENSEC backend 'gssapi_spnego' registered >>> GENSEC backend 'gssapi_krb5' registered >>> GENSEC backend 'gssapi_krb5_sasl' registered >>> GENSEC backend 'sasl-DIGEST-MD5' registered >>> GENSEC backend 'spnego' registered >>> GENSEC backend 'schannel' registered >>> GENSEC backend 'sasl-EXTERNAL' registered >>> GENSEC backend 'ntlmssp' registered >>> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >>> 0x7f8a3c224990 >>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >>> Mapped to DCERPC endpoint \pipe\lsarpc >>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>> netmask=255.255.255.0 >>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>> netmask=255.255.255.0 >>> >> Do you have IPv6 stack enabled? >> >> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>> s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 >>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >>> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, >>> 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >>> pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 >>> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, >>> 217400000), real(217400000, 0), class=rpc_srv] >>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >>> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >>> user IPA\admin failed: No such file or directory >>> >> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe >> has to be there. >> >> Can you explain what is your setup in detail? >> >> -- >> / Alexander Bokovoy >> > > > >-- >Morgan Marodin >email: morgan at marodin.it >mobile: +39.3477829069 -- / Alexander Bokovoy From Andy.Thompson at e-tcc.com Wed Sep 9 17:35:12 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 9 Sep 2015 17:35:12 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo Message-ID: Ok I've got a strange one going on. I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having Default_domain_suffix = ad.domain In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to force my users to change to using their fqn to login, and due to having db2 in the environment our usernames are limited to 8 characters so we cannot use the fqn regardless. I testing adding a local sudo rule for %ad_domain_group at ipa.domain and it worked, but any IPA rules are not working. Update installed sssd-1.12.4-47.el6.x86_64 -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From kretebe at freemail.hu Wed Sep 9 19:31:36 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Wed, 9 Sep 2015 21:31:36 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db Message-ID: I have a working IPA server and a working client config on an OpenSuse 13.2 with the following versions: nappali:~ # rpm -qa |grep sssd sssd-tools-1.12.2-3.4.1.i586 sssd-krb5-1.12.2-3.4.1.i586 python-sssd-config-1.12.2-3.4.1.i586 sssd-ipa-1.12.2-3.4.1.i586 sssd-1.12.2-3.4.1.i586 sssd-dbus-1.12.2-3.4.1.i586 sssd-krb5-common-1.12.2-3.4.1.i586 sssd-ldap-1.12.2-3.4.1.i586 sssd is confihured for nss, pam, sudo There is a test sudo rule defined in the ipa server, which applies to user "doma". However when the user tries to use sudo the rule does not work. doma at nappali:/home/doma> sudo ls doma's password: doma is not allowed to run sudo on nappali. This incident will be reported. The corresponding log in the sssd_sudo.log is this: (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! This seems perfectly OK with one exception. The query against the sysdb does not find the entry. This is strange because the entry is there. Log in sssd.log:(Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb Running the exact same query seen above in the sssd_sudo.log against the db returns: ldbsearch -H /var/lib/sss/db/cache_szilva.ldb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" asq: Unable to register control with rootdse! # record 1 dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb cn: Doma_ls dataExpireTimestamp: 1441830262 entryUSN: 20521 name: Doma_ls objectClass: sudoRule originalDN: cn=Doma_ls,ou=sudoers,dc=szilva sudoCommand: ls sudoHost: nappali.szilva sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: doma distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb# returned 1 records # 1 entries # 0 referrals This confirms that the entry is indeed there in the db. Why is it found with ldbsearch and why does sssd_sudo not find it? I am pretty much stuck with this one. Anyone has an idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Sep 9 19:50:42 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 9 Sep 2015 12:50:42 -0700 Subject: [Freeipa-users] Logging? Message-ID: <55F08D92.7020607@gmail.com> Hello, I was wondering if anyone has played with thee extended logging of IPA and specifically SSSD and the kibana dashboards they put together. https://www.freeipa.org/page/Centralized_Logging I can't seem to get "clients" to send the login info (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see the data in the logs, and was wondering if anyone has any tips? Thank you ~Janelle From Steven.Jones at vuw.ac.nz Wed Sep 9 23:41:46 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Sep 2015 23:41:46 +0000 Subject: [Freeipa-users] attempting to restore IPA In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> <55E999C2.3060103@redhat.com> <55EEEF6C.1070006@redhat.com>, <55EEF337.3080906@redhat.com>, Message-ID: So to restore IPA I tried, ipa-restore --data ipa-full-2015-09-10-10-28-11 and now I cannot login....ooooopsie. The admin user password doesnt work and neither do my own accounts. NB I assume the flag --data restores the user data/HBAC rules etc? regards Steven From Alexander.Frolushkin at megafon.ru Thu Sep 10 03:15:38 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 10 Sep 2015 03:15:38 +0000 Subject: [Freeipa-users] hp-ux and IPA In-Reply-To: <20150909140650.GC22106@redhat.com> References: <20150909140650.GC22106@redhat.com> Message-ID: Thank you, so it may work or may not work - we need to try such configuration first. I hoped somebody already do this and may share the experience :) BTW, I already do some part of this work before - for native IPA users it works, but of cause, without HBAC. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Wednesday, September 09, 2015 8:07 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] hp-ux and IPA On Wed, 09 Sep 2015, Alexander Frolushkin wrote: >Hello. >Is it possible to use IPA with HP-UX servers (ldapux) to authenticate >users from AD via IPA-AD trusts, or such way only work for systems with >sssd? I suspect you need to test it -- set it up like against Netscape/iPlanet directory server and use 'ipa-advise' recipes for FreeBSD or generic Linux versions to get proper base DNs/attributes/objectclasses. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From abokovoy at redhat.com Thu Sep 10 05:12:40 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 10 Sep 2015 08:12:40 +0300 Subject: [Freeipa-users] hp-ux and IPA In-Reply-To: References: <20150909140650.GC22106@redhat.com> Message-ID: <20150910051240.GF22106@redhat.com> On Thu, 10 Sep 2015, Alexander Frolushkin wrote: >Thank you, >so it may work or may not work - we need to try such configuration >first. I hoped somebody already do this and may share the experience :) > >BTW, I already do some part of this work before - for native IPA users >it works, but of cause, without HBAC. As HBAC currently is done at client side, and there is no such support for HP-UX, nothing can change here. For combined AD and IPA users just use cn=compat subtrees like 'ipa-advise' rules suggest. It would be great if you would be able to update instructions for HP-UX setup we have on the wiki -- http://www.freeipa.org/page/ConfiguringUnixClients#HP-UX_11.0 -- / Alexander Bokovoy From morgan at marodin.it Thu Sep 10 06:00:58 2015 From: morgan at marodin.it (Morgan Marodin) Date: Thu, 10 Sep 2015 08:00:58 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150909165354.GE22106@redhat.com> References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> <20150909112445.GB22106@redhat.com> <20150909165354.GE22106@redhat.com> Message-ID: Sorry, I've read ipv6.disable=1 in this article http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I understood wrong this prerequisite and went directly to the next chapter, in my mind I was conviced that IPv6 must be disabled :) I will try with IPv6 enabled, and then I will tell you if it is ok. Thanks, Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > ---- > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > ---- > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. >>>> >>>> Ok, after enabling debugging I have these logs: >>>> ------------------------------------------------------------------- >>>> ==> /var/log/httpd/error_log <== >>>> INFO: Current debug levels: >>>> all: 100 >>>> tdb: 100 >>>> printdrivers: 100 >>>> lanman: 100 >>>> smb: 100 >>>> rpc_parse: 100 >>>> rpc_srv: 100 >>>> rpc_cli: 100 >>>> passdb: 100 >>>> sam: 100 >>>> auth: 100 >>>> winbind: 100 >>>> vfs: 100 >>>> idmap: 100 >>>> quota: 100 >>>> acls: 100 >>>> locking: 100 >>>> msdfs: 100 >>>> dmapi: 100 >>>> registry: 100 >>>> scavenger: 100 >>>> dns: 100 >>>> ldb: 100 >>>> pm_process() returned Yes >>>> GENSEC backend 'gssapi_spnego' registered >>>> GENSEC backend 'gssapi_krb5' registered >>>> GENSEC backend 'gssapi_krb5_sasl' registered >>>> GENSEC backend 'sasl-DIGEST-MD5' registered >>>> GENSEC backend 'spnego' registered >>>> GENSEC backend 'schannel' registered >>>> GENSEC backend 'sasl-EXTERNAL' registered >>>> GENSEC backend 'ntlmssp' registered >>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >>>> 0x7f8a3c224990 >>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >>>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >>>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >>>> Mapped to DCERPC endpoint \pipe\lsarpc >>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>>> netmask=255.255.255.0 >>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>>> netmask=255.255.255.0 >>>> >>>> Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> >>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>>> s3_tevent: Schedule immediate event "tevent_req_trigger": >>>> 0x7f7118a92cf0 >>>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, >>>> 0)] >>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>>> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >>>> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, >>>> 217400000), real(217400000, 0)] >>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >>>> pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 >>>> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, >>>> 217400000), real(217400000, 0), class=rpc_srv] >>>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >>>> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >>>> user IPA\admin failed: No such file or directory >>>> >>>> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe >>> has to be there. >>> >>> Can you explain what is your setup in detail? >>> >>> -- >>> / Alexander Bokovoy >>> >>> >> >> >> -- >> Morgan Marodin >> email: morgan at marodin.it >> mobile: +39.3477829069 >> > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Sep 10 07:23:36 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Sep 2015 09:23:36 +0200 Subject: [Freeipa-users] Add objectclasses to computer schema In-Reply-To: References: Message-ID: <55F12FF8.7070109@redhat.com> On 09/09/2015 06:32 PM, Thomas Suiter wrote: > > Is there an equivalent host/computer default objectclasses that there > is for ipa config-mod ?groupobjectclasses/--userobjectclasses ? We > are wanting to add some additional attributes to all of the servers, > I?m able to add the object class to individual servers but not sure on > the procedure so that all new servers automatically get the additional > objectclasses when they are enrolled without having to manually add it. > > > Hello, LDAP schema is replicated to all servers, you just need to add new objectclass definition via ldapadd. Just adding changes to user99.ldif directly, may not be replicated, you need to add it online Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From morgan at marodin.it Thu Sep 10 07:24:17 2015 From: morgan at marodin.it (Morgan Marodin) Date: Thu, 10 Sep 2015 09:24:17 +0200 Subject: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER In-Reply-To: <20150909165354.GE22106@redhat.com> References: <20150908132119.GV22106@redhat.com> <20150908163901.GW22106@redhat.com> <20150909112445.GB22106@redhat.com> <20150909165354.GE22106@redhat.com> Message-ID: Now all is ok :) # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ------------------------------------------------------- Added Active Directory trust for realm "mydomain.com" ------------------------------------------------------- Realm name: mydomain.com Domain NetBIOS name: MYDOMAIN Domain Security Identifier: S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Thanks for your support. Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > ---- > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > ---- > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. >>>> >>>> Ok, after enabling debugging I have these logs: >>>> ------------------------------------------------------------------- >>>> ==> /var/log/httpd/error_log <== >>>> INFO: Current debug levels: >>>> all: 100 >>>> tdb: 100 >>>> printdrivers: 100 >>>> lanman: 100 >>>> smb: 100 >>>> rpc_parse: 100 >>>> rpc_srv: 100 >>>> rpc_cli: 100 >>>> passdb: 100 >>>> sam: 100 >>>> auth: 100 >>>> winbind: 100 >>>> vfs: 100 >>>> idmap: 100 >>>> quota: 100 >>>> acls: 100 >>>> locking: 100 >>>> msdfs: 100 >>>> dmapi: 100 >>>> registry: 100 >>>> scavenger: 100 >>>> dns: 100 >>>> ldb: 100 >>>> pm_process() returned Yes >>>> GENSEC backend 'gssapi_spnego' registered >>>> GENSEC backend 'gssapi_krb5' registered >>>> GENSEC backend 'gssapi_krb5_sasl' registered >>>> GENSEC backend 'sasl-DIGEST-MD5' registered >>>> GENSEC backend 'spnego' registered >>>> GENSEC backend 'schannel' registered >>>> GENSEC backend 'sasl-EXTERNAL' registered >>>> GENSEC backend 'ntlmssp' registered >>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >>>> 0x7f8a3c224990 >>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >>>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >>>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >>>> Mapped to DCERPC endpoint \pipe\lsarpc >>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>>> netmask=255.255.255.0 >>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >>>> netmask=255.255.255.0 >>>> >>>> Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> >>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>>> s3_tevent: Schedule immediate event "tevent_req_trigger": >>>> 0x7f7118a92cf0 >>>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, >>>> 0)] >>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >>>> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >>>> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(217400000, >>>> 217400000), real(217400000, 0)] >>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >>>> pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0 >>>> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(217400000, >>>> 217400000), real(217400000, 0), class=rpc_srv] >>>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >>>> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >>>> user IPA\admin failed: No such file or directory >>>> >>>> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe >>> has to be there. >>> >>> Can you explain what is your setup in detail? >>> >>> -- >>> / Alexander Bokovoy >>> >>> >> >> >> -- >> Morgan Marodin >> email: morgan at marodin.it >> mobile: +39.3477829069 >> > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Thu Sep 10 08:37:35 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 10 Sep 2015 10:37:35 +0200 Subject: [Freeipa-users] attempting to restore IPA In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> <1427931369.19641.6.camel@willson.usersys.redhat.com> <55E8C2EE.1020708@redhat.com> <55E93886.6030007@redhat.com> <55E999C2.3060103@redhat.com> <55EEEF6C.1070006@redhat.com> <55EEF337.3080906@redhat.com> Message-ID: <55F1414F.3050906@redhat.com> Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1. Version of FreeIPA you are using. 2. Precise description of the problem. Stating that "password does not work" is not specific enough. Does "kinit admin" fails? With what error message? What is in kdc log? Or does SSH login fails? Does the login on client using the restored server work? 3. Steps that you did before the problem occurred. How was the mentioned backup created? Was the FreeIPA server reinstalled since the backup was taken? Was any password changed after the backup? Was any error/warning reported during the restore? 4. Logs. Please include at least iparestore.log and DS and Kerberos logs. Maybe some of the information I am missing here can be found in the thread you are responding to. But since you have changed the subject I assume you are solving another issue. In that case it makes sense to start completely new thread and provide all relevant information. Searching for them in older thread is not only time consuming but also may confuse us as they could be no longer valid and/or relevant. Do not take me wrong I am just trying to show you how to ask with bigger change of solving the issue for you in less time. Best regards, David On 10/09/15 01:41, Steven Jones wrote: > So to restore IPA I tried, > > ipa-restore --data ipa-full-2015-09-10-10-28-11 > > and now I cannot login....ooooopsie. > > The admin user password doesnt work and neither do my own accounts. > > NB I assume the flag --data restores the user data/HBAC rules etc? > > regards > > Steven > From prasun.gera at gmail.com Thu Sep 10 11:46:14 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 10 Sep 2015 04:46:14 -0700 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM Message-ID: OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in https://access.redhat.com/solutions/35640, but it didn't really help. The messages still appear regularly in the log. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Thu Sep 10 12:02:48 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 10 Sep 2015 14:02:48 +0200 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: Hi, I assume you are virtualising. Try adding "tinker panic 0" to /etc/ntp.conf. It should make it tolerant to heavily drifting virtual clocks. Cheers, Andrew On 10 September 2015 at 13:46, Prasun Gera wrote: > OS: RHEL 7.1 w IDM > > I'm seeing these messages in my master's log messages. I don't know if > it's related, but I think I started seeing them after I set up a replica. > Everything seems to be working fine, but I'm worried that things will break > if delta grows beyond a point. I tried steps in > https://access.redhat.com/solutions/35640, but it didn't really help. The > messages still appear regularly in the log. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Thu Sep 10 12:05:39 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 10 Sep 2015 05:05:39 -0700 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: Thanks. I'm not virtualizing though. Should I still add it ? On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway wrote: > Hi, > > I assume you are virtualising. > > Try adding "tinker panic 0" to /etc/ntp.conf. > > It should make it tolerant to heavily drifting virtual clocks. > > Cheers, > > Andrew > > On 10 September 2015 at 13:46, Prasun Gera wrote: > >> OS: RHEL 7.1 w IDM >> >> I'm seeing these messages in my master's log messages. I don't know if >> it's related, but I think I started seeing them after I set up a replica. >> Everything seems to be working fine, but I'm worried that things will break >> if delta grows beyond a point. I tried steps in >> https://access.redhat.com/solutions/35640, but it didn't really help. >> The messages still appear regularly in the log. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Thu Sep 10 12:16:34 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 10 Sep 2015 14:16:34 +0200 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: Thats odd. You would normally not need it on bare metal. It could be broken hardware. On 10 September 2015 at 14:05, Prasun Gera wrote: > Thanks. I'm not virtualizing though. Should I still add it ? > > On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway > wrote: > >> Hi, >> >> I assume you are virtualising. >> >> Try adding "tinker panic 0" to /etc/ntp.conf. >> >> It should make it tolerant to heavily drifting virtual clocks. >> >> Cheers, >> >> Andrew >> >> On 10 September 2015 at 13:46, Prasun Gera wrote: >> >>> OS: RHEL 7.1 w IDM >>> >>> I'm seeing these messages in my master's log messages. I don't know if >>> it's related, but I think I started seeing them after I set up a replica. >>> Everything seems to be working fine, but I'm worried that things will break >>> if delta grows beyond a point. I tried steps in >>> https://access.redhat.com/solutions/35640, but it didn't really help. >>> The messages still appear regularly in the log. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 10 13:04:51 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Sep 2015 09:04:51 -0400 Subject: [Freeipa-users] Add objectclasses to computer schema In-Reply-To: References: Message-ID: <55F17FF3.3080707@redhat.com> Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod ?groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, I?m > able to add the object class to individual servers but not sure on the > procedure so that all new servers automatically get the additional > objectclasses when they are enrolled without having to manually add it. No, these lists exist only for users and groups. A plugin to extend the host object to add objectclasses would be fairly straightforward. Adding a similar option to the config would be slightly more complex. rob From gjn at gjn.priv.at Thu Sep 10 13:38:20 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 10 Sep 2015 15:38:20 +0200 Subject: [Freeipa-users] DNS Server Message-ID: <5363693.2LyDqBLT5h@techz> Hello, what is the best way to include a external Nameserver for a IPA Host? My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a extra Instance for a IPA Master Server and I have now to include the CNAMe Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other way to include this server? Thanks for a answer, -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Thu Sep 10 13:45:07 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Sep 2015 15:45:07 +0200 Subject: [Freeipa-users] DNS Server In-Reply-To: <5363693.2LyDqBLT5h@techz> References: <5363693.2LyDqBLT5h@techz> Message-ID: <55F18963.2030103@redhat.com> On 10.9.2015 15:38, G?nther J. Niederwimmer wrote: > Hello, > > what is the best way to include a external Nameserver for a IPA Host? > > My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a > extra Instance for a IPA Master Server and I have now to include the CNAMe > Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other way > to include this server? Hello, I'm sorry but I do not understand what you mean by 'include'. FreeIPA itself requires bunch of DNS records to be added to whatever DNS server you use - FreeIPA DNS is just an optional thing. For ordinary hosts/FreeIPA clients it is up to you how you configure DNS, there is no enforced requirement from FreeIPA side. If you need further information then please describe what exactly are you trying to achieve, what steps you did and what does not work. Of course we also need to know on which OS version are you trying it and which version of ipa-server package do you have. Have a nice day! -- Petr^2 Spacek From mkosek at redhat.com Thu Sep 10 14:48:19 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Sep 2015 16:48:19 +0200 Subject: [Freeipa-users] Vector/hi-res logo In-Reply-To: References: Message-ID: <55F19833.20202@redhat.com> On 09/08/2015 08:13 PM, Ian Pilcher wrote: > Now that I'm actually using IPA authentication for a few services within > my house, I'm going to set up a simple "start page" with a few links, > including a link to IPA web UI for password changes. I'd like to use > the FreeIPA logo, but I've only been able to find very small and/or > fuzzy versions. > > Does anyone know where I can find a high-resolution or vector version of > the logo? > > Thanks! This is interesting problem to have :-) The biggest bitmap image I have is http://www.freeipa.org/images/freeipa/freeipa-logo.png Maybe Petr Spacek has some better version, he was involved with the logo recently. From mkosek at redhat.com Thu Sep 10 14:55:58 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Sep 2015 16:55:58 +0200 Subject: [Freeipa-users] Logging? In-Reply-To: <55F08D92.7020607@gmail.com> References: <55F08D92.7020607@gmail.com> Message-ID: <55F199FE.2090002@redhat.com> On 09/09/2015 09:50 PM, Janelle wrote: > Hello, > > I was wondering if anyone has played with thee extended logging of IPA and > specifically SSSD and the kibana dashboards they put together. > https://www.freeipa.org/page/Centralized_Logging > > I can't seem to get "clients" to send the login info > (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see > the data in the logs, and was wondering if anyone has any tips? > > Thank you > ~Janelle Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were involved more in the client parts. What did you run for configuring the client? ipa-log-config from https://github.com/pschiffe/ipa-log-config ? From prasun.gera at gmail.com Thu Sep 10 13:03:50 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 10 Sep 2015 06:03:50 -0700 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: The hardware is not very old (ivybridge). The entries appear every few minutes in the log. The /etc/ntp.conf has not been modified manually. It lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are also a couple of additional local servers with the comment added by /sbin/dhclient-script. The replica on the same network with an identical ntp.conf file doesn't have these messages in the current log. However, if I go back to a week, I see similar messages there too. The ping to public ntp servers varies from to a few ms to ~50 ms. The ping to local servers is under 1 ms. I followed steps from the first link (ntpd -qg), and the messages have stopped for now, but I suspect that they will reappear later. That's what happened last time I tried that solution. This is the output from ntpq -pn on the master: remote refid st t when poll reach delay offset jitter ============================================================================== +38.229.71.1 204.123.2.5 2 u 39 64 377 44.300 -1311.8 7.668 +64.6.144.6 128.252.19.1 2 u 25 64 377 38.184 -1327.6 12.615 -129.250.35.251 200.98.196.212 2 u 30 64 377 14.649 -1318.8 7.079 127.127.1.0 .LOCL. 10 l - 64 0 0.000 0.000 0.000 *localnetip1 localnetref1 2 u 55 64 377 0.349 -1316.0 8.264 -localnetip2 localnetref2 3 u 64 64 377 0.459 -1309.6 10.516 On Thu, Sep 10, 2015 at 5:27 AM, Andrew Holway wrote: > If could be the server is trying to access the time server over a heavily > congested network which could cause these types of problems. > > > How old is the hardware? > How often to these entries appear in the log? > What is the ping / traceroute to the time server you are using? > Are there any other machines on the same local network that are using this > timeserver? Do they have problems? > > > > > On 10 September 2015 at 14:18, Prasun Gera wrote: > >> So I did a bit of googling and tinker panic 0 only makes sense for >> virtual machines. Is there any way to confirm if it is indeed a hardware >> issue ? >> >> On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway >> wrote: >> >>> Thats odd. You would normally not need it on bare metal. It could be >>> broken hardware. >>> >>> On 10 September 2015 at 14:05, Prasun Gera >>> wrote: >>> >>>> Thanks. I'm not virtualizing though. Should I still add it ? >>>> >>>> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway >>> > wrote: >>>> >>>>> Hi, >>>>> >>>>> I assume you are virtualising. >>>>> >>>>> Try adding "tinker panic 0" to /etc/ntp.conf. >>>>> >>>>> It should make it tolerant to heavily drifting virtual clocks. >>>>> >>>>> Cheers, >>>>> >>>>> Andrew >>>>> >>>>> On 10 September 2015 at 13:46, Prasun Gera >>>>> wrote: >>>>> >>>>>> OS: RHEL 7.1 w IDM >>>>>> >>>>>> I'm seeing these messages in my master's log messages. I don't know >>>>>> if it's related, but I think I started seeing them after I set up a >>>>>> replica. Everything seems to be working fine, but I'm worried that things >>>>>> will break if delta grows beyond a point. I tried steps in >>>>>> https://access.redhat.com/solutions/35640, but it didn't really >>>>>> help. The messages still appear regularly in the log. >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Thu Sep 10 13:59:51 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 10 Sep 2015 15:59:51 +0200 Subject: [Freeipa-users] certificate add subject alt Name In-Reply-To: <55F05A57.8000907@redhat.com> References: <3880303.smKUlFW0em@techz> <55F05A57.8000907@redhat.com> Message-ID: Hi, I'm not sure I understood all of your problem, but here are some information that may help: - First, you don't change a certificate, but you can revoke it a make a new one - If you need to add a SubjectAltName to a certificate, you may have realized that the -D parameter makes the request to get rejected by FreeIPA when you try this: ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N "CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL You have to force FreeIPA to recognise the CNAME first. $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn Then the ipa-getcert request will work. I hope it helps (you or anyone else needing a subjectaltname in a certificate). Cheers, -- Youenn Piolet piolet.y at gmail.com 2015-09-09 18:12 GMT+02:00 Petr Spacek : > On 5.9.2015 12:48, G?nther J. Niederwimmer wrote: > > Hello, > > > > System CentOS 7. > > > > is it possible to change a certificate to add a subject alt name? > > > > My "Problem" is, I have a Mail Server with name smtp.example.com and the > > correct service certificates smtp/smtp.example.com & imap/example.com > now I > > make in my DNS Server (is a external system) a new Record "imap IN CNAME > smtp" > > but this is now missing in the certificate? > > > > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I > don?t > > have a host/imap.example.com. > > I'm sorry but I do not see how this is related to DNS. It might not be > related > to IPA at all. > > IPA only issues the cert. If the cert contains both subjectAltNames then > the > problem is likely in your DNS configuration or in configuration on the > application server side (where you installed the cert). > > Unfortunately I'm not able to tell you more without more details - what > application you use, what versions, how did you it configured, etc. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Thu Sep 10 15:05:16 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 10 Sep 2015 08:05:16 -0700 Subject: [Freeipa-users] Logging? In-Reply-To: <55F199FE.2090002@redhat.com> References: <55F08D92.7020607@gmail.com> <55F199FE.2090002@redhat.com> Message-ID: <55F19C2C.2060405@gmail.com> On 9/10/15 7:55 AM, Martin Kosek wrote: > On 09/09/2015 09:50 PM, Janelle wrote: >> Hello, >> >> I was wondering if anyone has played with thee extended logging of IPA and >> specifically SSSD and the kibana dashboards they put together. >> https://www.freeipa.org/page/Centralized_Logging >> >> I can't seem to get "clients" to send the login info >> (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see >> the data in the logs, and was wondering if anyone has any tips? >> >> Thank you >> ~Janelle > Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were > involved more in the client parts. > > What did you run for configuring the client? ipa-log-config from > > https://github.com/pschiffe/ipa-log-config > > ? Hi Martin, Yes, I did run the log config tool. It works flawlessly on the IPA servers, but although it claims it sets everything up on clients, I am seeing no actual data, even though, there is data in the logs themselves.. So I am busy trying to debug where rsyslog is missing something. I am more of a syslog-ng person, so I am having to learn all the bits and pieces of rsyslog, and perhaps I am missing something. To further help -- I have tried 2 methods of a client. One with a client that was "enrolled" via standard ipa-client-install, and another LDAP-only client, still using SSSD but only configured with LDAP settings for Auth. ~J From abokovoy at redhat.com Thu Sep 10 15:22:56 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 10 Sep 2015 18:22:56 +0300 Subject: [Freeipa-users] Vector/hi-res logo In-Reply-To: <55F19833.20202@redhat.com> References: <55F19833.20202@redhat.com> Message-ID: <20150910152256.GE6168@redhat.com> On Thu, 10 Sep 2015, Martin Kosek wrote: >On 09/08/2015 08:13 PM, Ian Pilcher wrote: >> Now that I'm actually using IPA authentication for a few services within >> my house, I'm going to set up a simple "start page" with a few links, >> including a link to IPA web UI for password changes. I'd like to use >> the FreeIPA logo, but I've only been able to find very small and/or >> fuzzy versions. >> >> Does anyone know where I can find a high-resolution or vector version of >> the logo? >> >> Thanks! > >This is interesting problem to have :-) The biggest bitmap image I have is > >http://www.freeipa.org/images/freeipa/freeipa-logo.png > >Maybe Petr Spacek has some better version, he was involved with the logo recently. Mo did the original design and SVG is still available at her DeviantArt page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785 -- / Alexander Bokovoy From jmcassidy at ou.edu Thu Sep 10 15:35:24 2015 From: jmcassidy at ou.edu (Cassidy, James M.) Date: Thu, 10 Sep 2015 15:35:24 +0000 Subject: [Freeipa-users] PKI-CAD service fails, IPA won't start Message-ID: <87ADF036D9338F448627665EECE345C8CA8BBD@it-monad.sooner.net.ou.edu> Hello: So recently, we received some new workstations that I loaded with Ubuntu 12.04. The person who had this sysadmin position before me set up the IPA domain and had it running for quite some time. I went to add one of the systems to the domain through a script he created, something in the configuration failed so I performed an uninstall and was gonna return to it after I retool the script. However, since then IPA has failed to function for more than two minutes at a time. Upon a "ipactl start" it will start every service (even allowing IPA commands to be executed) until it hits the pki-cad service, where it hangs for a while, then seemingly hits a timeout limit and assumes that it fails. Sometimes it does fail, but ipactl doesn't react to this immediately, and it always seems to hit the timeout. Running a journalctl -f as soon as I can, I see the following: Sep 10 14:40:42 [IPA server] systemd[1]: Reached target 389 Directory Server. Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server [org name].... Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server PKI-IPA.... Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server PKI-IPA.. Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server [org name].. Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 KDC... Sep 10 14:41:00 [IPA server] systemd[1]: Started Kerberos 5 KDC. Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 Password-changing and Administration... Sep 10 14:41:01 [IPA server] systemd[1]: Started Kerberos 5 Password-changing and Administration. Sep 10 14:41:01 [IPA server] systemd[1]: Starting Berkeley Internet Name Domain (DNS)... [huge wall of DNS config, completes successfully] Sep 10 14:41:02 [IPA server] systemd[1]: Started Berkeley Internet Name Domain (DNS). Sep 10 14:41:02 [IPA server] systemd[1]: Starting Host and Network Name Lookups. Sep 10 14:41:02 [IPA server] systemd[1]: Reached target Host and Network Name Lookups. Sep 10 14:41:02 [IPA server] systemd[1]: Started IPA memcached daemon, increases IPA server performance. Sep 10 14:41:03 [IPA server] systemd[1]: Starting The Apache HTTP Server... Sep 10 14:41:05 [IPA server] httpd[841]: [Thu Sep 10 14:41:05.050236 2015] [so:warn] [pid 841] AH01574: module nss_module is already loaded, skipping Sep 10 14:41:06 [IPA server] systemd[1]: Started The Apache HTTP Server. Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority Server. Sep 10 14:41:06 [IPA server] systemd[1]: Reached target PKI Certificate Authority Server. Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority Server pki-ca... Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session opened for user pkiuser by (uid=0) Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session closed for user pkiuser Sep 10 14:41:07 [IPA server] named[828]: zone [subnet].in-addr.arpa/IN: sending notifies (serial 2012080892) Sep 10 14:41:07 [IPA server] named[828]: zone [org name]/IN: sending notifies (serial 2012080918) Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 2 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 2 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): session opened for user pkiuser by (uid=0) Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): session closed for user pkiuser Sep 10 14:41:13 [IPA server] pkicontrol[1039]: /var/lib/pki-ca/pki-ca: line 101: log_success_msg: command not found Sep 10 14:41:13 [IPA server] systemd[1]: Started PKI Certificate Authority Server pki-ca. Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 2 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:46:06 [IPA server] ipactl[545]: Failed to start pki-cad Service Sep 10 14:46:06 [IPA server] ipactl[545]: Shutting down Not entirely sure what the issue is here, the server config wasn't modified at all. Most of the logfiles in /var/log/pki-ca are completely empty. The dirsrv access logs for the slapd-PKI-IPA directory cut off around the time that I attempted the client install. The dirsrv error log contains: [10/Sep/2015:14:40:44 +0000] - 389-Directory/1.3.1.22.a1 B2014.073.1751 starting up [10/Sep/2015:14:40:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 96 ldap://[IPA server]:7389} 5022b749000000600000 54931184000100600000] which is present in RUV [database RUV] [10/Sep/2015:14:40:46 +0000] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [10/Sep/2015:14:40:46 +0000] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [10/Sep/2015:14:40:46 +0000] - Listening on All Interfaces port 7390 for LDAPS requests [10/Sep/2015:14:40:48 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) That last message repeats a few more times until the ipactl process kills the directory services. I'm at a complete loss. Has anyone else seen this or could point out what exactly happened? I can start the individual services, but the IPA service always fails, due to either the PKI-CAD service failing or the timeout. Sorry for the wall of text. James Cassidy -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Sep 10 15:47:41 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Sep 2015 17:47:41 +0200 Subject: [Freeipa-users] Vector/hi-res logo In-Reply-To: <20150910152256.GE6168@redhat.com> References: <55F19833.20202@redhat.com> <20150910152256.GE6168@redhat.com> Message-ID: <55F1A61D.6000107@redhat.com> On 10.9.2015 17:22, Alexander Bokovoy wrote: > On Thu, 10 Sep 2015, Martin Kosek wrote: >> On 09/08/2015 08:13 PM, Ian Pilcher wrote: >>> Now that I'm actually using IPA authentication for a few services within >>> my house, I'm going to set up a simple "start page" with a few links, >>> including a link to IPA web UI for password changes. I'd like to use >>> the FreeIPA logo, but I've only been able to find very small and/or >>> fuzzy versions. >>> >>> Does anyone know where I can find a high-resolution or vector version of >>> the logo? >>> >>> Thanks! >> >> This is interesting problem to have :-) The biggest bitmap image I have is >> >> http://www.freeipa.org/images/freeipa/freeipa-logo.png >> >> Maybe Petr Spacek has some better version, he was involved with the logo >> recently. > Mo did the original design and SVG is still available at her DeviantArt > page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785 I've uploaded the SVG file I found somewhere to http://www.freeipa.org/page/File:FreeIPA.svg so we do not lose it over time :-) -- Petr^2 Spacek From prasun.gera at gmail.com Thu Sep 10 12:18:56 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 10 Sep 2015 05:18:56 -0700 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: So I did a bit of googling and tinker panic 0 only makes sense for virtual machines. Is there any way to confirm if it is indeed a hardware issue ? On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway wrote: > Thats odd. You would normally not need it on bare metal. It could be > broken hardware. > > On 10 September 2015 at 14:05, Prasun Gera wrote: > >> Thanks. I'm not virtualizing though. Should I still add it ? >> >> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway >> wrote: >> >>> Hi, >>> >>> I assume you are virtualising. >>> >>> Try adding "tinker panic 0" to /etc/ntp.conf. >>> >>> It should make it tolerant to heavily drifting virtual clocks. >>> >>> Cheers, >>> >>> Andrew >>> >>> On 10 September 2015 at 13:46, Prasun Gera >>> wrote: >>> >>>> OS: RHEL 7.1 w IDM >>>> >>>> I'm seeing these messages in my master's log messages. I don't know if >>>> it's related, but I think I started seeing them after I set up a replica. >>>> Everything seems to be working fine, but I'm worried that things will break >>>> if delta grows beyond a point. I tried steps in >>>> https://access.redhat.com/solutions/35640, but it didn't really help. >>>> The messages still appear regularly in the log. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arequipeno at gmail.com Thu Sep 10 16:24:00 2015 From: arequipeno at gmail.com (Ian Pilcher) Date: Thu, 10 Sep 2015 11:24:00 -0500 Subject: [Freeipa-users] Vector/hi-res logo In-Reply-To: <55F1A61D.6000107@redhat.com> References: <55F19833.20202@redhat.com> <20150910152256.GE6168@redhat.com> <55F1A61D.6000107@redhat.com> Message-ID: <55F1AEA0.30004@gmail.com> Thanks all! (And I should have known that it would be Mo's work.) -- ======================================================================== Ian Pilcher arequipeno at gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== From CWhite at skytouchtechnology.com Thu Sep 10 22:47:27 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 10 Sep 2015 22:47:27 +0000 Subject: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master Message-ID: Following instructions from here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html RHEL6 server # rpm -qa ipa-server ipa-server-3.0.0-42.el6.x86_64 RHEL7 server # rpm -q ipa-server ipa-server-4.1.0-18.el7_1.4.x86_64 I am down to the part where I am trying to make the new RHEL7 server the master CA server On the RHEL6 system, I # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Number of certificates and requests being tracked: 8. Request ID '20141022190721': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=STT.LOCAL subject: CN=CA Subsystem,O=STT.LOCAL expires: 2016-10-11 19:06:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and the 'post-save' command is empty, doesn't track the page. Should I just ignore? I note that the output from this (save for different file path on RHEL6) indicates that the original RHEL6 is still CA Master The CRL generation master can be determined by looking at CS.cfg on each CA: # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true Also, when I set up the second new IPA master, do I also make it a CA? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png at 01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7660 bytes Desc: image001.png URL: From gustavo.mateus at gmail.com Thu Sep 10 23:30:17 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Thu, 10 Sep 2015 16:30:17 -0700 Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd Message-ID: Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Fri Sep 11 05:41:37 2015 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 11 Sep 2015 11:11:37 +0530 Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd In-Reply-To: References: Message-ID: One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateus wrote: > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Fri Sep 11 08:06:21 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 11 Sep 2015 10:06:21 +0200 Subject: [Freeipa-users] New Host and IP Address Message-ID: <1684002.oR1MjGi30E@techz> Hello, System CentOs 7 FreeIPA 4.1, I like to add a new Host with a Service like imap/imap.example.com The imap.example.com exist in the zone file with a CNAME Record. I can't found the correct Doc for my Problem ;-) the second Problem is, is it possible to add a IPv6 Address to the Host and Certificates? Thanks's for a answer, -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer From karl.forner at gmail.com Fri Sep 11 08:10:15 2015 From: karl.forner at gmail.com (Karl Forner) Date: Fri, 11 Sep 2015 10:10:15 +0200 Subject: [Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale() Message-ID: Hi, I kind of fixed my problem, but I share it there in case it can help others. I had problems with sparkleshare on my freeIPA-enrolled workstation, e.g. I got error messages like this: 19:04:52 | Cmd | QB_resources | git ls-remote --heads --exit-code "ssh://xxxl at yyyy/secure/sparkleshare/resources" master 19:04:52 | Git | projects | (Wed Sep 9 19:04:52:432246 2015) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): set_locale() failed (5): Input/output error I went to see the source code of sss_ssh_knownhostsproxy, and it seems that the problem comes from these lines: c = setlocale(LC_ALL, ""); if (c == NULL) { return EIO; } According to "man setlocale()", this is perfectly good: > On startup of the main program, the portable "C" locale is selected as default. A program may be made portable to all locales by calling: > setlocale(LC_ALL, ""); and > For glibc, first (regardless of > category), the environment variable LC_ALL is inspected, next the environment variable with the same name as the category (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY, LC_NUMERIC, > LC_TIME) and finally the environment variable LANG. The first existing environment variable is used. If its value is not a valid locale specification, the locale is unchanged, and setlo? > cale() returns NULL. In my case, apparently setlocate() returns NULL. I could not reproduce this setlocale() call by myself, event trying to use the environment of the sparkleshare process (which by the way is a mono program). But I noticed that running sparkleshare as followed fixed the problem: LC_ALL="en_US.UTF-8" mono "/usr/lib/sparkleshare/SparkleShare.exe" So I just edited my /etc/default/locale to permanently fix my problem. Nonetheless, I'd be curious the understand why the setlocale() call fails when sss_ssh_knownhostsproxy is called via git via sparkleshare (via mono). Regards, Karl Forner -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Sep 11 08:17:38 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Sep 2015 11:17:38 +0300 Subject: [Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale() In-Reply-To: References: Message-ID: <20150911081738.GG6168@redhat.com> On Fri, 11 Sep 2015, Karl Forner wrote: >Hi, > >I kind of fixed my problem, but I share it there in case it can help others. > >I had problems with sparkleshare on my freeIPA-enrolled workstation, e.g. I >got >error messages like this: > >19:04:52 | Cmd | QB_resources | git ls-remote --heads --exit-code >"ssh://xxxl at yyyy/secure/sparkleshare/resources" master >19:04:52 | Git | projects | (Wed Sep 9 19:04:52:432246 2015) >[/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): set_locale() failed >(5): Input/output error > >I went to see the source code of sss_ssh_knownhostsproxy, and it seems that >the problem comes from these lines: > c = setlocale(LC_ALL, ""); > if (c == NULL) { > return EIO; > } > >According to "man setlocale()", this is perfectly good: > >> On startup of the main program, the portable "C" locale is >selected as default. A program may be made portable to all locales by >calling: >> setlocale(LC_ALL, ""); > and >> For glibc, first (regardless of > > category), the environment variable LC_ALL is inspected, next the >environment variable with the same name as the category (LC_COLLATE, >LC_CTYPE, LC_MESSAGES, LC_MONETARY, LC_NUMERIC, > > LC_TIME) and finally the environment variable LANG. The first >existing environment variable is used. If its value is not a valid locale >specification, the locale is unchanged, and setlo? > > cale() returns NULL. > >In my case, apparently setlocate() returns NULL. I could not reproduce this >setlocale() call by myself, event trying to use the environment of the >sparkleshare process (which by the way is a mono program). > >But I noticed that running sparkleshare as followed fixed the problem: > LC_ALL="en_US.UTF-8" mono "/usr/lib/sparkleshare/SparkleShare.exe" > >So I just edited my /etc/default/locale to permanently fix my problem. >Nonetheless, I'd be curious the understand why the setlocale() call fails >when sss_ssh_knownhostsproxy is called via git via sparkleshare (via mono). Thanks for the report. Could you please file a bug against sssd to have this fixed? There are multiple cases when your own locale is different from the remote environment and in cloud images you might not even have additional locale information available, so when SSH is configured to pass LC_* variables (like in Fedora or RHEL), they are forced in the remote shell and the setlocale() result is often NULL. I'm stumbling with this all the time. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Sep 11 08:26:54 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Sep 2015 11:26:54 +0300 Subject: [Freeipa-users] New Host and IP Address In-Reply-To: <1684002.oR1MjGi30E@techz> References: <1684002.oR1MjGi30E@techz> Message-ID: <20150911082654.GH6168@redhat.com> On Fri, 11 Sep 2015, G?nther J. Niederwimmer wrote: >Hello, > >System CentOs 7 FreeIPA 4.1, > >I like to add a new Host with a Service like imap/imap.example.com > >The imap.example.com exist in the zone file with a CNAME Record. > >I can't found the correct Doc for my Problem ;-) ipa help host ipa help service and in general 'ipa help ' or 'ipa help ' where command is something reported by 'ipa help ' are very helpful if you don't want to go and read the actual user's guide (which is very comprehensive and has specific sections on host and service operations). A CNAME-based hostname will not work for GSSAPI authentication so your service bsaed on CNAME couldn't get Kerberos keys properly. You need to create both A host entry and then service on that host to make sure they are properly authenticating over GSSAPI/Kerberos. To allow issuing certificates for services with subjectAltName to CNAME, make sure an A host manages a CNAME host in IPA (see 'ipa host-*' related commands). >the second Problem is, is it possible to add a IPv6 Address to the Host and >Certificates? While IP addresses could be added to certificates, we don't allow it as it is not recommended practice, thus our current validation rules prevent it. In short, you cannot currently set up a certificate request that includes IPv4/IPv6 addresses to certificate's subjectAltName. A question of IPv4/IPv6 addresses for hosts is orthogonal to IPA itself. Whatever you use for DNS, should be able to handle A/AAAA entries (including IPA DNS). -- / Alexander Bokovoy From karl.forner at gmail.com Fri Sep 11 08:32:04 2015 From: karl.forner at gmail.com (Karl Forner) Date: Fri, 11 Sep 2015 10:32:04 +0200 Subject: [Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale() In-Reply-To: <20150911081738.GG6168@redhat.com> References: <20150911081738.GG6168@redhat.com> Message-ID: done: Ticket #2785 On Fri, Sep 11, 2015 at 10:17 AM, Alexander Bokovoy wrote: > On Fri, 11 Sep 2015, Karl Forner wrote: > >> Hi, >> >> I kind of fixed my problem, but I share it there in case it can help >> others. >> >> I had problems with sparkleshare on my freeIPA-enrolled workstation, e.g. >> I >> got >> error messages like this: >> >> 19:04:52 | Cmd | QB_resources | git ls-remote --heads --exit-code >> "ssh://xxxl at yyyy/secure/sparkleshare/resources" master >> 19:04:52 | Git | projects | (Wed Sep 9 19:04:52:432246 2015) >> [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): set_locale() failed >> (5): Input/output error >> >> I went to see the source code of sss_ssh_knownhostsproxy, and it seems >> that >> the problem comes from these lines: >> c = setlocale(LC_ALL, ""); >> if (c == NULL) { >> return EIO; >> } >> >> According to "man setlocale()", this is perfectly good: >> >> On startup of the main program, the portable "C" locale is >>> >> selected as default. A program may be made portable to all locales by >> calling: >> >>> setlocale(LC_ALL, ""); >>> >> and >> >>> For glibc, first (regardless of >>> >> > category), the environment variable LC_ALL is inspected, next the >> environment variable with the same name as the category (LC_COLLATE, >> LC_CTYPE, LC_MESSAGES, LC_MONETARY, LC_NUMERIC, >> > LC_TIME) and finally the environment variable LANG. The first >> existing environment variable is used. If its value is not a valid locale >> specification, the locale is unchanged, and setlo? >> > cale() returns NULL. >> >> In my case, apparently setlocate() returns NULL. I could not reproduce >> this >> setlocale() call by myself, event trying to use the environment of the >> sparkleshare process (which by the way is a mono program). >> >> But I noticed that running sparkleshare as followed fixed the problem: >> LC_ALL="en_US.UTF-8" mono "/usr/lib/sparkleshare/SparkleShare.exe" >> >> So I just edited my /etc/default/locale to permanently fix my problem. >> Nonetheless, I'd be curious the understand why the setlocale() call fails >> when sss_ssh_knownhostsproxy is called via git via sparkleshare (via >> mono). >> > Thanks for the report. Could you please file a bug against sssd to have > this fixed? > > There are multiple cases when your own locale is different from the > remote environment and in cloud images you might not even have > additional locale information available, so when SSH is configured to > pass LC_* variables (like in Fedora or RHEL), they are forced in the > remote shell and the setlocale() result is often NULL. I'm stumbling > with this all the time. > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Sep 11 10:25:24 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Sep 2015 12:25:24 +0200 Subject: [Freeipa-users] Logging? In-Reply-To: <55F19C2C.2060405@gmail.com> References: <55F08D92.7020607@gmail.com> <55F199FE.2090002@redhat.com> <55F19C2C.2060405@gmail.com> Message-ID: <20150911102524.GF3603@hendrix.redhat.com> On Thu, Sep 10, 2015 at 08:05:16AM -0700, Janelle wrote: > On 9/10/15 7:55 AM, Martin Kosek wrote: > >On 09/09/2015 09:50 PM, Janelle wrote: > >>Hello, > >> > >>I was wondering if anyone has played with thee extended logging of IPA and > >>specifically SSSD and the kibana dashboards they put together. > >>https://www.freeipa.org/page/Centralized_Logging > >> > >>I can't seem to get "clients" to send the login info > >>(https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see > >>the data in the logs, and was wondering if anyone has any tips? > >> > >>Thank you > >>~Janelle > >Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were > >involved more in the client parts. > > > >What did you run for configuring the client? ipa-log-config from > > > >https://github.com/pschiffe/ipa-log-config > > > >? > Hi Martin, > > Yes, I did run the log config tool. It works flawlessly on the IPA servers, > but although it claims it sets everything up on clients, I am seeing no > actual data, even though, there is data in the logs themselves.. So I am > busy trying to debug where rsyslog is missing something. I am more of a > syslog-ng person, so I am having to learn all the bits and pieces of > rsyslog, and perhaps I am missing something. > > To further help -- I have tried 2 methods of a client. One with a client > that was "enrolled" via standard ipa-client-install, and another LDAP-only > client, still using SSSD but only configured with LDAP settings for Auth. I would suggest to debug step by step -- are the sssd debug logs being generated? Are they being collected by rsyslog? etc.. From pbrezina at redhat.com Fri Sep 11 10:32:43 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Fri, 11 Sep 2015 12:32:43 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: Message-ID: <55F2ADCB.2060805@redhat.com> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > I have a working IPA server and a working client config on an OpenSuse > 13.2 with the following versions: > nappali:~ # rpm -qa |grep sssd > sssd-tools-1.12.2-3.4.1.i586 > sssd-krb5-1.12.2-3.4.1.i586 > python-sssd-config-1.12.2-3.4.1.i586 > sssd-ipa-1.12.2-3.4.1.i586 > sssd-1.12.2-3.4.1.i586 > sssd-dbus-1.12.2-3.4.1.i586 > sssd-krb5-common-1.12.2-3.4.1.i586 > sssd-ldap-1.12.2-3.4.1.i586 > sssd is confihured for nss, pam, sudo > There is a test sudo rule defined in the ipa server, which applies to > user "doma". However when the user tries to use sudo the rule does not > work. > doma at nappali:/home/doma> sudo ls > doma's password: > doma is not allowed to run sudo on nappali. This incident will be reported. > The corresponding log in the sssd_sudo.log is this: > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'doma' matched without domain, user is doma > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'doma' matched without domain, user is doma > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [doma] from [] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [doma at szilva] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'doma' matched without domain, user is doma > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'doma' matched without domain, user is doma > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [doma] from [] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [doma at szilva] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > This seems perfectly OK with one exception. The query against the sysdb > does not find the entry. This is strange because the entry is there. > Log in sssd.log: > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > Running the exact same query seen above in the sssd_sudo.log against the > db returns: > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > asq: Unable to register control with rootdse! > # record 1 > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > cn: Doma_ls > dataExpireTimestamp: 1441830262 > entryUSN: 20521 > name: Doma_ls > objectClass: sudoRule > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > sudoCommand: ls > sudoHost: nappali.szilva > sudoRunAsGroup: ALL > sudoRunAsUser: ALL > sudoUser: doma > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > # returned 1 records > # 1 entries > # 0 referrals > This confirms that the entry is indeed there in the db. Why is it found > with ldbsearch and why does sssd_sudo not find it? > I am pretty much stuck with this one. Anyone has an idea? > > Hi, this is strange. Can you provide the logs with debug level set to 0x3ff0 please? Can you also send it as an attachment? Thanks! From kretebe at freemail.hu Fri Sep 11 12:26:24 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Fri, 11 Sep 2015 14:26:24 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <55F2ADCB.2060805@redhat.com> Message-ID: "Pavel B?ezina" ?rta: >On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >> I have a working IPA server and a working client config on an OpenSuse >> 13.2 with the following versions: >> nappali:~ # rpm -qa |grep sssd >> sssd-tools-1.12.2-3.4.1.i586 >> sssd-krb5-1.12.2-3.4.1.i586 >> python-sssd-config-1.12.2-3.4.1.i586 >> sssd-ipa-1.12.2-3.4.1.i586 >> sssd-1.12.2-3.4.1.i586 >> sssd-dbus-1.12.2-3.4.1.i586 >> sssd-krb5-common-1.12.2-3.4.1.i586 >> sssd-ldap-1.12.2-3.4.1.i586 >> sssd is confihured for nss, pam, sudo >> There is a test sudo rule defined in the ipa server, which applies to >> user "doma". However when the user tries to use sudo the rule does not >> work. >> doma at nappali:/home/doma> sudo ls >> doma's password: >> doma is not allowed to run sudo on nappali. This incident will be reported. >> The corresponding log in the sssd_sudo.log is this: >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Received client version [1]. >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Offered version [1]. >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting default options for [doma] from [] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [doma at szilva] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting rules for [doma] from [] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [doma at szilva] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> disconnected! >> This seems perfectly OK with one exception. The query against the sysdb >> does not find the entry. This is strange because the entry is there. >> Log in sssd.log: >> (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >> Running the exact same query seen above in the sssd_sudo.log against the >> db returns: >> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >> asq: Unable to register control with rootdse! >> # record 1 >> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> cn: Doma_ls >> dataExpireTimestamp: 1441830262 >> entryUSN: 20521 >> name: Doma_ls >> objectClass: sudoRule >> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >> sudoCommand: ls >> sudoHost: nappali.szilva >> sudoRunAsGroup: ALL >> sudoRunAsUser: ALL >> sudoUser: doma >> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> # returned 1 records >> # 1 entries >> # 0 referrals >> This confirms that the entry is indeed there in the db. Why is it found >> with ldbsearch and why does sssd_sudo not find it? >> I am pretty much stuck with this one. Anyone has an idea? >> >> >Hi, >this is strange. Can you provide the logs with debug level set to 0x3ff0 >please? Can you also send it as an attachment? Thanks! Sure. Here it is. Now I can see that the rule is returned. The question is why the rule does not match. Anyway much better :) (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6abd0][17] (Fri Sep 11 14:20:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit as doma: doma at nappali:/home/doma> id uid=1816400003(doma) gid=1816400003(doma) groups=1816400003(doma),16(dialout),33(video),112(vboxusers),1000(burning),1816400006(picture_access) doma at nappali:/home/doma> hostname --fqdn nappali.szilva doma at nappali:/home/doma> domainname szilva doma at nappali:/home/doma> nisdomainname szilva doma at nappali:/home/doma> dnsdomainname szilva doma at nappali:/home/doma> sudo ls doma's password: doma is not allowed to run sudo on nappali. This incident will be reported. doma at nappali:/home/doma> as root: nappali:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *helios.szilva 193.6.222.47 3 u 56 64 377 0.779 1.365 0.420 LOCAL(0) .LOCL. 10 l 535 64 0 0.000 0.000 0.000 nappali:~ # helios.szilva is the standalone IPA server. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kretebe at freemail.hu Fri Sep 11 12:40:37 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Fri, 11 Sep 2015 14:40:37 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: Message-ID: Full log attached. "Moln?r Domokos" ?rta: > >"Pavel B?ezina" ?rta: >>On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >>> I have a working IPA server and a working client config on an OpenSuse >>> 13.2 with the following versions: >>> nappali:~ # rpm -qa |grep sssd >>> sssd-tools-1.12.2-3.4.1.i586 >>> sssd-krb5-1.12.2-3.4.1.i586 >>> python-sssd-config-1.12.2-3.4.1.i586 >>> sssd-ipa-1.12.2-3.4.1.i586 >>> sssd-1.12.2-3.4.1.i586 >>> sssd-dbus-1.12.2-3.4.1.i586 >>> sssd-krb5-common-1.12.2-3.4.1.i586 >>> sssd-ldap-1.12.2-3.4.1.i586 >>> sssd is confihured for nss, pam, sudo >>> There is a test sudo rule defined in the ipa server, which applies to >>> user "doma". However when the user tries to use sudo the rule does not >>> work. >>> doma at nappali:/home/doma> sudo ls >>> doma's password: >>> doma is not allowed to run sudo on nappali. This incident will be reported. >>> The corresponding log in the sssd_sudo.log is this: >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >>> Received client version [1]. >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >>> Offered version [1]. >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'doma' matched without domain, user is doma >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'doma' matched without domain, user is doma >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >>> (0x0200): Requesting default options for [doma] from [] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [doma at szilva] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(name=defaults)))] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'doma' matched without domain, user is doma >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'doma' matched without domain, user is doma >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >>> (0x0200): Requesting rules for [doma] from [] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [doma at szilva] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >>> (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >>> disconnected! >>> This seems perfectly OK with one exception. The query against the sysdb >>> does not find the entry. This is strange because the entry is there. >>> Log in sssd.log: >>> (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >>> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >>> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >>> Running the exact same query seen above in the sssd_sudo.log against the >>> db returns: >>> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >>> asq: Unable to register control with rootdse! >>> # record 1 >>> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> cn: Doma_ls >>> dataExpireTimestamp: 1441830262 >>> entryUSN: 20521 >>> name: Doma_ls >>> objectClass: sudoRule >>> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >>> sudoCommand: ls >>> sudoHost: nappali.szilva >>> sudoRunAsGroup: ALL >>> sudoRunAsUser: ALL >>> sudoUser: doma >>> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> # returned 1 records >>> # 1 entries >>> # 0 referrals >>> This confirms that the entry is indeed there in the db. Why is it found >>> with ldbsearch and why does sssd_sudo not find it? >>> I am pretty much stuck with this one. Anyone has an idea? >>> >>> >>Hi, >>this is strange. Can you provide the logs with debug level set to 0x3ff0 >>please? Can you also send it as an attachment? Thanks! > Sure. Here it is. Now I can see that the rule is returned. The question is why the rule does not match. Anyway much better :) (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] >(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6abd0][17] >(Fri Sep 11 14:20:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit as doma: doma at nappali:/home/doma> id >uid=1816400003(doma) gid=1816400003(doma) groups=1816400003(doma),16(dialout),33(video),112(vboxusers),1000(burning),1816400006(picture_access) >doma at nappali:/home/doma> hostname --fqdn >nappali.szilva >doma at nappali:/home/doma> domainname >szilva >doma at nappali:/home/doma> nisdomainname >szilva >doma at nappali:/home/doma> dnsdomainname >szilva >doma at nappali:/home/doma> sudo ls >doma's password: >doma is not allowed to run sudo on nappali. This incident will be reported. >doma at nappali:/home/doma> as root: nappali:~ # ntpq -p > remote refid st t when poll reach delay offset jitter >============================================================================== >*helios.szilva 193.6.222.47 3 u 56 64 377 0.779 1.365 0.420 > LOCAL(0) .LOCL. 10 l 535 64 0 0.000 0.000 0.000 >nappali:~ # helios.szilva is the standalone IPA server. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 2 09:26:37 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:26:45 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:26:49 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:28:44 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:28:48 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:30:07 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:30:10 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441179267)))] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441179267)))] (Wed Sep 2 09:34:27 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 2 09:34:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:08 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Wed Sep 2 09:37:14 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:39:37 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:39:41 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:39:43 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:39:46 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 09:59:56 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 09:59:59 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:05:58 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:06:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:07:04 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:07:07 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Wed Sep 2 10:07:42 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Wed Sep 2 10:07:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 2 17:13:30 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 2 20:56:54 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 2 21:36:29 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 2 21:36:31 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 2 21:50:29 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Thu Sep 3 22:18:21 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 4 19:18:35 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Sep 4 19:18:36 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 13:21:42 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 13:21:44 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 13:41:25 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 13:49:04 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 13:49:05 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 13:56:11 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 14:11:06 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 14:22:50 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 14:37:51 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 14:37:51 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 14:37:51 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 14:37:51 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 14:37:51 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 14:37:52 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 14:37:52 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 14:53:08 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 14:53:09 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sat Sep 5 19:22:16 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sun Sep 6 18:10:58 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Sun Sep 6 20:30:01 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441565252)))] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441565252)))] (Sun Sep 6 20:47:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 20:47:39 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441565496)))] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441565496)))] (Sun Sep 6 20:51:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 20:51:38 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568038)))] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568038)))] (Sun Sep 6 21:33:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 21:34:06 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:43:53 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568701)))] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568701)))] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 21:45:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:45:12 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [fru] from [] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [fru at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [fru at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [fru] from [] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [fru at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'fru' matched without domain, user is fru (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [fru] from [] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [fru at szilva] (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): UID does not match (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [sudosrv_get_sudorules] (0x0040): Error looking up user information [2]: No such file or directory (Sun Sep 6 21:45:13 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [vince] from [] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vince at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*))(&(dataExpireTimestamp<=1441568718)))] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [vince] from [] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vince at szilva] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*))(&(dataExpireTimestamp<=1441568718)))] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*)))] (Sun Sep 6 21:45:18 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [vince] from [] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vince at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*))(&(dataExpireTimestamp<=1441568748)))] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'vince' matched without domain, user is vince (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [vince] from [] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vince at szilva] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*))(&(dataExpireTimestamp<=1441568748)))] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vince)(sudoUser=#1816400005)(sudoUser=%ipausers)(sudoUser=%vince)(sudoUser=+*)))] (Sun Sep 6 21:45:48 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568758)))] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568758)))] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 21:45:58 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568938)))] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568938)))] (Sun Sep 6 21:48:58 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568942)))] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441568942)))] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 21:49:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441571059)))] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441571059)))] (Sun Sep 6 22:24:19 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441571064)))] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441571064)))] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Sun Sep 6 22:24:24 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 09:01:03 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x9aadc88 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x9aad888/0x9aacfe8 (12), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9aae010 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacfe8 (12), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x9aaa9a0 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x9aaad90/0x9aaa6c0 (13), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9aaae78 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6c0 (13), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aabe78 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aab400 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aabe78 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aab400 "ltdb_timeout" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aabe78 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aabe48 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaa398 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aabe48 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaa398 "ltdb_timeout" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aabe48 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aaec00 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaec60 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aaec00 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaec60 "ltdb_timeout" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aaec00 "ltdb_callback" (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9aad068 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6c0 (13), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aaa9a0 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aaa9a0 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aaa9a0 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacfe8 (12), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6c0 (13), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacfe8 (12), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6c0 (13), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacfe8 (12), -/W (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6e8 (13), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aaad90/0x9aaa6c0 (13), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacb10 (12), R/- (enabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x9aad888/0x9aacfe8 (12), -/W (disabled) (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9aaae78 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aaa9a0 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9aae010 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:10 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9aad068 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aaa9a0 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 5 error message: Internal Error (Memory buffer error) (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab1988 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab19e8 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab1988 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab19e8 "ltdb_timeout" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab1988 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab1bc0 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab1c20 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab1bc0 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab1c20 "ltdb_timeout" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab1bc0 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab21c0 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab1930 (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab21c0 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab1930 "ltdb_timeout" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab21c0 "ltdb_callback" (Mon Sep 7 20:46:11 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Mon Sep 7 20:46:20 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:20 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:20 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:46:20 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[4183]. (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab1870 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab18d0 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab1870 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab18d0 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab1870 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aaeee8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5740 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aaeee8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5740 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aaeee8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5590 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5740 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5590 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5740 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5590 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651585)))] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5cd8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab6958 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5cd8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab6958 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5cd8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5590 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaeee8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5590 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaeee8 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5590 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aae148 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aae1a8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aae148 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aae1a8 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aae148 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aaa398 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaae48 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aaa398 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaae48 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aaa398 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aaae48 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5b10 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aaae48 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5b10 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aaae48 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651585)))] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab43e8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab6958 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab6958 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab6958 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab43e8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab6958 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab43e8 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab6958 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab43e8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab6958 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab6958 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab43e8 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaae48 (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaae48 "ltdb_timeout" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab43e8 "ltdb_callback" (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Mon Sep 7 20:46:25 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:30 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:30 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:30 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:46:30 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:36 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9ab1b68][17] (Mon Sep 7 20:46:36 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 20:46:36 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x9ab1b68][17] (Mon Sep 7 20:46:40 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:40 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:40 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:46:40 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:50 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:46:50 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:46:50 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:46:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:46:50 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:00 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:47:00 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:47:00 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:47:00 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[4188]. (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aae258 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aae2b8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aae258 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aae2b8 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aae258 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab55e8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaae48 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab55e8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaae48 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab55e8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aabd10 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab55e8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aabd10 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab55e8 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aabd10 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651624)))] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab4330 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab4428 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab4330 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab4428 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab4330 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab18b0 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aaa398 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab18b0 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aaa398 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab18b0 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aabde0 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9aabe40 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aabde0 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9aabe40 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aabde0 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5588 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab1ce8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5588 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab1ce8 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5588 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab1ce8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5a30 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab1ce8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5a30 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab1ce8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651624)))] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5b98 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab61a0 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5b98 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab61a0 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5b98 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab1ce8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5588 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab1ce8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5588 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab1ce8 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9ab5a30 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab1ce8 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9ab5a30 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab1ce8 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9ab5a30 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9aacc58 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab5738 (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x9aacc58 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab5738 "ltdb_timeout" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9aacc58 "ltdb_callback" (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Mon Sep 7 20:47:04 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:08 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x9aafe98][17] (Mon Sep 7 20:47:08 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 20:47:08 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x9aafe98][17] (Mon Sep 7 20:47:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:47:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:47:10 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:47:10 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:20 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:47:20 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:47:20 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:47:20 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:30 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:47:30 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:47:30 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:47:30 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:40 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x9aadc88 (Mon Sep 7 20:47:40 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 7 20:47:40 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 7 20:47:40 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 20:47:47 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651672)))] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441651672)))] (Mon Sep 7 20:47:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 20:47:57 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 21:06:32 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441652807)))] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441652807)))] (Mon Sep 7 21:06:47 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 21:06:59 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 21:19:40 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441653593)))] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441653593)))] (Mon Sep 7 21:19:53 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 21:19:57 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441653609)))] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441653609)))] (Mon Sep 7 21:20:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 21:20:28 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Sep 7 21:35:54 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441654750)))] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441654750)))] (Mon Sep 7 21:39:10 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 21:39:19 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441655773)))] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441655773)))] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Mon Sep 7 21:56:13 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [root] from [] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [root] from [] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [root at szilva] (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Sep 7 21:56:20 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Tue Sep 8 07:21:16 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Tue Sep 8 16:12:43 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Tue Sep 8 16:33:32 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Tue Sep 8 16:33:35 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Tue Sep 8 19:25:08 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Tue Sep 8 19:25:10 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 07:27:24 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 07:27:25 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441822652)))] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441822652)))] (Wed Sep 9 20:17:32 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 20:17:36 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441822697)))] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441822697)))] (Wed Sep 9 20:18:17 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 20:18:29 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x867fbc0 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x867fe90/0x867b318 (12), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x8680198 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867b318 (12), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x867cc50 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x867d040/0x867c958 (13), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x867d588 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c958 (13), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x867e0d8 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x867d660 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x867e0d8 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x867d660 "ltdb_timeout" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x867e0d8 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8680c78 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8680cd8 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x8680c78 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x8680cd8 "ltdb_timeout" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x8680c78 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8680db8 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8680e18 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x8680db8 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x8680e18 "ltdb_timeout" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x8680db8 "ltdb_callback" (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x867f718 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c958 (13), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867fbc0 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867fbc0 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867cc50 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867cc50 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867cc50 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867b318 (12), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c958 (13), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867b318 (12), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c958 (13), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c980 (13), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867d040/0x867c958 (13), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x867d588 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867cc50 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867b318 (12), -/W (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867ef80 (12), R/- (enabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x867fe90/0x867b318 (12), -/W (disabled) (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x8680198 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867fbc0 (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:09 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x867f718 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x867cc50 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 5 error message: Internal Error (Memory buffer error) (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8681790 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x86817f0 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x8681790 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x86817f0 "ltdb_timeout" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x8681790 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x86817e8 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8683ea8 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x86817e8 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x8683ea8 "ltdb_timeout" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x86817e8 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8681488 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8681208 (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x8681488 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x8681208 "ltdb_timeout" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x8681488 "ltdb_callback" (Wed Sep 9 20:54:10 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x87d5bc0 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x87d5e90/0x87d1318 (12), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x87d6198 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d1318 (12), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x87d2c50 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x87d3040/0x87d2958 (13), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x87d3588 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2958 (13), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d40d8 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d3660 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d40d8 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d3660 "ltdb_timeout" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d40d8 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d6c78 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d6cd8 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d6c78 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d6cd8 "ltdb_timeout" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d6c78 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d6db8 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d6e18 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d6db8 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d6e18 "ltdb_timeout" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d6db8 "ltdb_callback" (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x87d5718 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2958 (13), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d2c50 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d2c50 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d2c50 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d1318 (12), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2958 (13), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d1318 (12), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2958 (13), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d1318 (12), -/W (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2980 (13), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d3040/0x87d2958 (13), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d4f80 (12), R/- (enabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x87d5e90/0x87d1318 (12), -/W (disabled) (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x87d3588 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d2c50 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x87d6198 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:12 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x87d5718 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d2c50 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 5 error message: Internal Error (Memory buffer error) (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d7790 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d77f0 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d7790 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d77f0 "ltdb_timeout" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d7790 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d77e8 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d9ea8 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d77e8 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d9ea8 "ltdb_timeout" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d77e8 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d7488 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d7208 (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d7488 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d7208 "ltdb_timeout" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d7488 "ltdb_callback" (Wed Sep 9 20:54:13 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Wed Sep 9 20:54:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:22 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:22 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:54:22 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:32 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:32 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:54:32 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[31250]. (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d9f48 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d9fa8 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d9f48 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d9fa8 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d9f48 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87dde30 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d9f48 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87dde30 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d9f48 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87dde30 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d3980 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d6590 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d3980 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d6590 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d3980 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441824877)))] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d7790 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d77f0 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d7790 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d77f0 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d7790 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d3c38 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87dc588 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d3c38 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87dc588 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d3c38 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d7240 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d72a0 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d7240 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d72a0 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d7240 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87dcc68 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87de300 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87dcc68 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87de300 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87dcc68 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d6210 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d6590 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d6210 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d6590 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d6210 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441824877)))] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87de358 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87dcf10 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87de358 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87dcf10 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87de358 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87d6210 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87deb60 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87d6210 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87deb60 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87d6210 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87dd6e8 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87d6590 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87dd6e8 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87d6590 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87dd6e8 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87df030 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87de7d0 (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x87df030 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x87de7d0 "ltdb_timeout" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x87df030 "ltdb_callback" (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Wed Sep 9 20:54:37 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:41 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87da008][17] (Wed Sep 9 20:54:41 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 9 20:54:41 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x87da008][17] (Wed Sep 9 20:54:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:42 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:42 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:54:42 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:54:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:54:52 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:54:52 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:54:52 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:02 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:02 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:02 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:12 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:12 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:12 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:22 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:22 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:22 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:32 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:32 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:32 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:42 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:42 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:42 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:55:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:55:52 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:55:52 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:55:52 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:02 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:02 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:02 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:12 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:12 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:12 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:22 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:22 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:22 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:32 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:32 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:32 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:42 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:42 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:42 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:56:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:56:52 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:56:52 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:56:52 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:02 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:02 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:02 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:12 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:12 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:12 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:12 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:22 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:22 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:22 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:22 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:32 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:32 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:32 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:32 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:42 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:42 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:42 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:42 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:57:52 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:57:52 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:57:52 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:57:52 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:58:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x87d5bc0 (Wed Sep 9 20:58:02 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 9 20:58:02 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:58:02 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 9 20:58:02 2015) [sssd[sudo]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 20:58:08 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 21:24:50 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Sep 9 21:25:21 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441827565)))] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441827565)))] (Wed Sep 9 21:39:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 21:39:27 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441827586)))] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441827586)))] (Wed Sep 9 21:39:46 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Thu Sep 10 07:21:58 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Sep 11 14:13:03 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x9ddd088 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x9ddfd00/0x9ddd450 (12), -/W (enabled) (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9de0b50 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x9dddaa8 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x9dddec8/0x9de1520 (13), -/W (enabled) (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9dddfb0 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x9de1e98 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9dddfb0 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9de0b50 (Fri Sep 11 14:14:05 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 11 14:14:06 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x9de1e98 (Fri Sep 11 14:14:06 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Sep 11 14:14:06 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Fri Sep 11 14:14:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:14:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:14:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973682)))] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973682)))] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:14:42 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:14:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:14:46 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:14:46 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x9de4ec0][17] (Fri Sep 11 14:14:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:15:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:16:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:17:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:18:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x8f66088 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x8f68d00/0x8f66450 (12), -/W (enabled) (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x8f69b50 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x8f66aa8 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x8f66ec8/0x8f6a520 (13), -/W (enabled) (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x8f66fb0 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x8f6ae98 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x8f66fb0 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x8f69b50 (Fri Sep 11 14:19:30 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 11 14:19:31 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x8f6ae98 (Fri Sep 11 14:19:31 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Sep 11 14:19:31 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973978)))] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973978)))] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:19:38 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:19:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:19:44 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6dec0][17] (Fri Sep 11 14:19:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6abd0][17] (Fri Sep 11 14:20:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:20:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:21:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:22:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:23:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:24:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441974322)))] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441974322)))] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:25:22 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:25:26 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:25:26 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6abd0][17] (Fri Sep 11 14:25:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:25:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:26:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:27:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:40 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:28:50 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:29:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:29:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:29:20 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:29:30 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:29:34 2015) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [szilva]! (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x82d6088 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x82d8d00/0x82d6450 (12), -/W (enabled) (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x82d9b50 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_init_connection] (0x0400): Adding connection 0x82d6aa8 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x82d6ec8/0x82da520 (13), -/W (enabled) (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x82d6fb0 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8055760:domains at szilva] (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [szilva][] (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x82dae98 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8055760:domains at szilva] (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x82d9b50 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x82d6fb0 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x82dae98 (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Sep 11 14:30:25 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8055760:domains at szilva] (Fri Sep 11 14:30:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:30:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:30:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:31:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:32:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:33:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:34:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441974914)))] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441974914)))] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Fri Sep 11 14:35:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva] (Fri Sep 11 14:35:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:17 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Sep 11 14:35:17 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x82db210][17] (Fri Sep 11 14:35:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:35:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:36:55 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:37:05 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:37:15 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:37:25 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:37:35 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Sep 11 14:37:45 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit From rcritten at redhat.com Fri Sep 11 13:29:09 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Sep 2015 09:29:09 -0400 Subject: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master In-Reply-To: References: Message-ID: <55F2D725.4070800@redhat.com> Craig White wrote: > Following instructions from here > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > > > RHEL6 server > > # rpm -qa ipa-server > > ipa-server-3.0.0-42.el6.x86_64 > > > > RHEL7 server > > # rpm -q ipa-server > > ipa-server-4.1.0-18.el7_1.4.x86_64 > > > > I am down to the part where I am trying to make the new RHEL7 server the > master CA server > > > > On the RHEL6 system, I > > # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" > > Number of certificates and requests being tracked: 8. > > Request ID '20141022190721': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=STT.LOCAL > > subject: CN=CA Subsystem,O=STT.LOCAL > > expires: 2016-10-11 19:06:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > and the ?post-save? command is empty, doesn?t track the page. Should I > just ignore? I note that the output from this (save for different file > path on RHEL6) indicates that the original RHEL6 is still CA Master There was a bug in certmonger where the pre/post save commands wouldn't display. I believe this was fixed, see if there is an updated package available. Otherwise you'd have to poke around in the tracking files in /var/lib/certmonger. > The CRL generation master can be determined by looking at CS.cfg on each CA: > > # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg > > ca.crl.MasterCRL.enableCRLUpdates=true > > > > > > Also, when I set up the second new IPA master, do I also make it a CA? I'd say yes. You always at at least 2 masters with a CA. rob From janellenicole80 at gmail.com Fri Sep 11 14:14:10 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 11 Sep 2015 07:14:10 -0700 Subject: [Freeipa-users] Logging? In-Reply-To: <20150911102524.GF3603@hendrix.redhat.com> References: <55F08D92.7020607@gmail.com> <55F199FE.2090002@redhat.com> <55F19C2C.2060405@gmail.com> <20150911102524.GF3603@hendrix.redhat.com> Message-ID: <55F2E1B2.1020904@gmail.com> On 9/11/15 3:25 AM, Jakub Hrozek wrote: > On Thu, Sep 10, 2015 at 08:05:16AM -0700, Janelle wrote: >> On 9/10/15 7:55 AM, Martin Kosek wrote: >>> On 09/09/2015 09:50 PM, Janelle wrote: >>>> Hello, >>>> >>>> I was wondering if anyone has played with thee extended logging of IPA and >>>> specifically SSSD and the kibana dashboards they put together. >>>> https://www.freeipa.org/page/Centralized_Logging >>>> >>>> I can't seem to get "clients" to send the login info >>>> (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see >>>> the data in the logs, and was wondering if anyone has any tips? >>>> >>>> Thank you >>>> ~Janelle >>> Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were >>> involved more in the client parts. >>> >>> What did you run for configuring the client? ipa-log-config from >>> >>> https://github.com/pschiffe/ipa-log-config >>> >>> ? >> Hi Martin, >> >> Yes, I did run the log config tool. It works flawlessly on the IPA servers, >> but although it claims it sets everything up on clients, I am seeing no >> actual data, even though, there is data in the logs themselves.. So I am >> busy trying to debug where rsyslog is missing something. I am more of a >> syslog-ng person, so I am having to learn all the bits and pieces of >> rsyslog, and perhaps I am missing something. >> >> To further help -- I have tried 2 methods of a client. One with a client >> that was "enrolled" via standard ipa-client-install, and another LDAP-only >> client, still using SSSD but only configured with LDAP settings for Auth. > I would suggest to debug step by step -- are the sssd debug logs being > generated? Are they being collected by rsyslog? etc.. Ok. Thank you. I had stated that the logs are indeed being populated correctly. I guess it is something with the rsyslog config being set by the tool. I will try and debug that. The odd thing is, the settings are the same on the IPA server, and it logs correct, but not on clients. Oh well, back to the drawing board. ~J From mkosek at redhat.com Fri Sep 11 15:46:17 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Sep 2015 17:46:17 +0200 Subject: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master In-Reply-To: <55F2D725.4070800@redhat.com> References: <55F2D725.4070800@redhat.com> Message-ID: <55F2F749.7040401@redhat.com> On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here? >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> >> >> RHEL6 server >> >> # rpm -qa ipa-server >> >> ipa-server-3.0.0-42.el6.x86_64 >> >> >> >> RHEL7 server >> >> # rpm -q ipa-server >> >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> >> >> I am down to the part where I am trying to make the new RHEL7 server the >> master CA server >> >> >> >> On the RHEL6 system, I >> >> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20141022190721': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=STT.LOCAL >> >> subject: CN=CA Subsystem,O=STT.LOCAL >> >> expires: 2016-10-11 19:06:36 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> and the ?post-save? command is empty, doesn?t track the page. Should I >> just ignore? I note that the output from this (save for different file >> path on RHEL6) indicates that the original RHEL6 is still CA Master > > There was a bug in certmonger where the pre/post save commands wouldn't > display. I believe this was fixed, see if there is an updated package > available. Otherwise you'd have to poke around in the tracking files in > /var/lib/certmonger. I think Rob meant this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181022 It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows about other similar fixes. > >> The CRL generation master can be determined by looking at CS.cfg on each CA: >> >> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg >> >> ca.crl.MasterCRL.enableCRLUpdates=true >> >> >> >> >> >> Also, when I set up the second new IPA master, do I also make it a CA? > > I'd say yes. You always at at least 2 masters with a CA. > > rob > From matt.wells at mosaic451.com Fri Sep 11 16:36:51 2015 From: matt.wells at mosaic451.com (Matt Wells) Date: Fri, 11 Sep 2015 09:36:51 -0700 Subject: [Freeipa-users] AD Trust Issues Message-ID: I've been working on an AD trust with our freeipa servers but have run into some of the same issues others have had. It's well documented here however I feel I've mitigated these - https://bugzilla.redhat.com/show_bug.cgi?id=1219832 Freeipa Servers are Fedora 22 / freeipa-server-4.2.0 The Samba version i'm on is well past the patched version. It seems the patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the patch is in this version). I run # echo Password123 | ipa trust-add --type=ad ad.example.com --trust-secret ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc I've been using "http://www.freeipa.org/page/Active_Directory_trust_setup" as a guide. Our only domains are - EXAMPLE.COM (web pages only) --- LX.EXAMPLE.COM ( IPA ) --- AD.EXAMPLE.COM ( Active Directory ) My configuration is on separate domains. AD.EXAMPLE.COM is for Active Directory and forwards all DNS to IPA ( LX.EXAMPLE.COM ) and those network requests then forward to the internet. Our AD is only to provide GPOs to desktops, everything else is run off IPA. I've run through the 'ipa-adtrust-install' but to no avail; after running through that is when I get the CIFS error. I've made the network guys prove to me the ports are open. I've actually seen a permit any any on the network gear, dropped the firewalls on AD and IPA and moved to permissive mode for testing. All of this to just check off the troubleshooting boxes. NTP is good, everyone is pointed to the internal and are UTC. I'm sure I've forgotten something, thanks to everyone for reading this. Really appreciate it. My versions are listed below - freeipa-admintools-4.2.0-0.fc22.x86_64 freeipa-client-4.2.0-0.fc22.x86_64 freeipa-python-4.2.0-0.fc22.x86_64 freeipa-server-4.2.0-0.fc22.x86_64 freeipa-server-trust-ad-4.2.0-0.fc22.x86_64 samba-4.2.3-0.fc22.x86_64 samba-client-4.2.3-0.fc22.x86_64 samba-client-libs-4.2.3-0.fc22.x86_64 samba-common-4.2.3-0.fc22.noarch samba-common-libs-4.2.3-0.fc22.x86_64 samba-common-tools-4.2.3-0.fc22.x86_64 samba-dc-4.2.3-0.fc22.x86_64 samba-dc-libs-4.2.3-0.fc22.x86_64 samba-libs-4.2.3-0.fc22.x86_64 samba-python-4.2.3-0.fc22.x86_64 samba-winbind-4.2.3-0.fc22.x86_64 samba-winbind-clients-4.2.3-0.fc22.x86_64 samba-winbind-modules-4.2.3-0.fc22.x86_64 [root at server1 /]# systemctl status smb ? smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2015-09-11 14:43:50 UTC; 23min ago Main PID: 31581 (smbd) Status: "smbd: ready to serve connections..." CGroup: /system.slice/smb.service ??31581 /usr/sbin/smbd Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 1 Sep 11 14:49:40 server1.lx.example.com smbd[32207]: GSSAPI client step 2 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 1 Sep 11 14:50:03 server1.lx.example.com smbd[32235]: GSSAPI client step 2 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 1 Sep 11 14:54:46 server1.lx.example.com smbd[32276]: GSSAPI client step 2 [root at server1 /]# systemctl status nmb ? nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2015-09-11 14:49:56 UTC; 17min ago Main PID: 32220 (nmbd) Status: "nmbd: ready to serve connections..." CGroup: /system.slice/nmb.service ??32220 /usr/sbin/nmbd Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Samba server LAS01003007 is now a domain master browser for workgroup AXIEXAMPLE on subnet 192.168.1.10 Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: Sep 11 14:50:04 server1.lx.example.com nmbd[32220]: ***** Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: [2015/09/11 14:50:19.307616, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: ***** Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Samba name server LAS01003007 is now a local master browser for workgroup AXIMOSAIC451 on subnet 10.100.50.37 Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: Sep 11 14:50:19 server1.lx.example.com nmbd[32220]: ***** [root at server1 /]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root at server1 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 *:139 *:* LISTEN 0 2 *:749 *:* LISTEN 0 100 *:8080 *:* LISTEN 0 5 *:464 *:* LISTEN 0 128 *:80 *:* LISTEN 0 10 192.168.1.10:53 *:* LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 5 *:88 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 *:8443 *:* LISTEN 0 128 *:443 *:* LISTEN 0 50 *:445 *:* LISTEN 0 100 *:1024 *:* LISTEN 0 5 *:5666 *:* LISTEN 0 1 127.0.0.1:8005 *:* LISTEN 0 50 *:135 *:* LISTEN 0 100 127.0.0.1:8009 *:* LISTEN 0 50 :::139 :::* LISTEN 0 2 :::749 :::* LISTEN 0 5 :::464 :::* LISTEN 0 10 :::53 :::* LISTEN 0 128 :::22 :::* LISTEN 0 5 :::88 :::* LISTEN 0 128 :::636 :::* LISTEN 0 50 :::445 :::* LISTEN 0 100 :::1024 :::* LISTEN 0 5 :::5666 :::* LISTEN 0 128 :::9090 :::* LISTEN 0 128 :::389 :::* LISTEN 0 50 :::135 :::* -------------- next part -------------- An HTML attachment was scrubbed... URL: From morgan at marodin.it Fri Sep 11 16:42:53 2015 From: morgan at marodin.it (Morgan Marodin) Date: Fri, 11 Sep 2015 18:42:53 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets Message-ID: Hi everyone. I've seen these guides: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ But I've not been able to access via ssh to a freeipa client with kerberos tickets. I've also tried to install MIT kerberos to my windows 8.1, but doesn't works too. The target freeipa client is a RHEL 6.7 like distribution. Naturally trying with AD username (name.surname at mydomain.com) and password is ok. Do you have any suggestions for this problem? Thanks, bye. Morgan -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Fri Sep 11 17:16:38 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Fri, 11 Sep 2015 17:16:38 +0000 Subject: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master In-Reply-To: <55F2F749.7040401@redhat.com> References: <55F2D725.4070800@redhat.com> <55F2F749.7040401@redhat.com> Message-ID: -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Friday, September 11, 2015 8:46 AM To: Rob Crittenden; Craig White; freeipa-users at redhat.com; Jan Cholasta; Jan Cholasta Subject: Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here... >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrat >> ing-ipa-proc.html >> >> >> >> RHEL6 server >> >> # rpm -qa ipa-server >> >> ipa-server-3.0.0-42.el6.x86_64 >> >> >> >> RHEL7 server >> >> # rpm -q ipa-server >> >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> >> >> I am down to the part where I am trying to make the new RHEL7 server >> the master CA server >> >> >> >> On the RHEL6 system, I >> >> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20141022190721': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=STT.LOCAL >> >> subject: CN=CA Subsystem,O=STT.LOCAL >> >> expires: 2016-10-11 19:06:36 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> and the 'post-save' command is empty, doesn't track the page. Should >> I just ignore? I note that the output from this (save for different >> file path on RHEL6) indicates that the original RHEL6 is still CA >> Master > > There was a bug in certmonger where the pre/post save commands > wouldn't display. I believe this was fixed, see if there is an updated > package available. Otherwise you'd have to poke around in the tracking > files in /var/lib/certmonger. I think Rob meant this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181022 It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows about other similar fixes. > >> The CRL generation master can be determined by looking at CS.cfg on each CA: >> >> # grep ca.crl.MasterCRL.enableCRLUpdates >> /etc/pki/pki-tomcat/ca/CS.cfg >> >> ca.crl.MasterCRL.enableCRLUpdates=true >> >> >> >> >> >> Also, when I set up the second new IPA master, do I also make it a CA? > > I'd say yes. You always at at least 2 masters with a CA. > > rob > ---- Indeed - updating the RHEL6 system to current (certmonger) remedied the issue and I was able to proceed. Seems I am complete - at least to the point of shutting down the old IPA servers. Thanks for the great support Rob/Martin and of course everyone in the FreeIPA group - you guys are awesome! Craig From andrew.holway at gmail.com Thu Sep 10 12:27:21 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 10 Sep 2015 14:27:21 +0200 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: If could be the server is trying to access the time server over a heavily congested network which could cause these types of problems. How old is the hardware? How often to these entries appear in the log? What is the ping / traceroute to the time server you are using? Are there any other machines on the same local network that are using this timeserver? Do they have problems? On 10 September 2015 at 14:18, Prasun Gera wrote: > So I did a bit of googling and tinker panic 0 only makes sense for virtual > machines. Is there any way to confirm if it is indeed a hardware issue ? > > On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway > wrote: > >> Thats odd. You would normally not need it on bare metal. It could be >> broken hardware. >> >> On 10 September 2015 at 14:05, Prasun Gera wrote: >> >>> Thanks. I'm not virtualizing though. Should I still add it ? >>> >>> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway >>> wrote: >>> >>>> Hi, >>>> >>>> I assume you are virtualising. >>>> >>>> Try adding "tinker panic 0" to /etc/ntp.conf. >>>> >>>> It should make it tolerant to heavily drifting virtual clocks. >>>> >>>> Cheers, >>>> >>>> Andrew >>>> >>>> On 10 September 2015 at 13:46, Prasun Gera >>>> wrote: >>>> >>>>> OS: RHEL 7.1 w IDM >>>>> >>>>> I'm seeing these messages in my master's log messages. I don't know if >>>>> it's related, but I think I started seeing them after I set up a replica. >>>>> Everything seems to be working fine, but I'm worried that things will break >>>>> if delta grows beyond a point. I tried steps in >>>>> https://access.redhat.com/solutions/35640, but it didn't really help. >>>>> The messages still appear regularly in the log. >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nathan at nathanpeters.com Fri Sep 11 17:25:27 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 11 Sep 2015 10:25:27 -0700 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries Message-ID: I have been trying to figure this out for a while now but when I join a machine to FreeIPA, the installer properly creates forward DNS entries, and DNSSSHFP entries, but does not create reverse entries. Without the PTR records, kerberos logins are always failing on these machines. The reverse zones exist, all DNS is managed by FreeIPA, and I am able to manually add the entries just fine. Environment : Servers : CentOS7, FreeIPA 4.1.4 Clients : CentOS 6.5, FreeIPA client 3.0.0-42 I have tried this both with the Internal FreeIPA 'admin' user as the join user and as another user called 'joinscript' which has the host enrollment and DNS administrator privileges. Here is the ipa-client install log: 2015-09-11T16:24:05Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'server': None, 'no_nisdomain': False, 'principal': 'joinscript', 'hostname': 'ipaclient.ipadomain.net', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'realm_name': None, 'dns_updates': True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'nisdomain': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2015-09-11T16:24:05Z DEBUG missing options might be asked for interactively later 2015-09-11T16:24:05Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:05Z DEBUG [IPA Discovery] 2015-09-11T16:24:05Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=ipaclient.ipadomain.net 2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in "ipadomain.net" (domain of the hostname) and its sub-domains 2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of _ldap._tcp.ipadomain.net. 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG [Kerberos realm search] 2015-09-11T16:24:05Z DEBUG Search DNS for TXT record of _kerberos.ipadomain.net. 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_kerberos.ipadomain.net.,type:16,class:1,rdata={data:ipadomain.net} 2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of _kerberos._udp.ipadomain.net. 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc2.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc1.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG [LDAP server check] 2015-09-11T16:24:05Z DEBUG Verifying that dc1.ipadomain.net (realm ipadomain.net) is an IPA server 2015-09-11T16:24:05Z DEBUG Init LDAP connection with: ldap://dc1.ipadomain.net:389 2015-09-11T16:24:05Z DEBUG Search LDAP server for IPA base DN 2015-09-11T16:24:05Z DEBUG Check if naming context 'dc=ipadomain,dc=net' is for IPA 2015-09-11T16:24:05Z DEBUG Naming context 'dc=ipadomain,dc=net' is a valid IPA context 2015-09-11T16:24:05Z DEBUG Search for (objectClass=krbRealmContainer) in dc=ipadomain,dc=net (sub) 2015-09-11T16:24:05Z DEBUG Found: cn=ipadomain.net,cn=kerberos,dc=ipadomain,dc=net 2015-09-11T16:24:05Z DEBUG Discovery result: Success; server=dc1.ipadomain.net, domain=ipadomain.net, kdc=dc2.ipadomain.net,dc1.ipadomain.net, basedn=dc=ipadomain,dc=net 2015-09-11T16:24:05Z DEBUG Validated servers: dc1.ipadomain.net 2015-09-11T16:24:05Z DEBUG will use discovered domain: ipadomain.net 2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in "ipadomain.net" (Validating DNS Discovery) and its sub-domains 2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of _ldap._tcp.ipadomain.net. 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG DNS validated, enabling discovery 2015-09-11T16:24:05Z DEBUG will use discovered server: dc1.ipadomain.net 2015-09-11T16:24:05Z INFO Discovery was successful! 2015-09-11T16:24:05Z DEBUG will use discovered realm: ipadomain.net 2015-09-11T16:24:05Z DEBUG will use discovered basedn: dc=ipadomain,dc=net 2015-09-11T16:24:05Z INFO Hostname: ipaclient.ipadomain.net 2015-09-11T16:24:05Z DEBUG Hostname source: Provided as option 2015-09-11T16:24:05Z INFO Realm: ipadomain.net 2015-09-11T16:24:05Z DEBUG Realm source: Discovered from LDAP DNS records in dc1.ipadomain.net 2015-09-11T16:24:05Z INFO DNS Domain: ipadomain.net 2015-09-11T16:24:05Z DEBUG DNS Domain source: Discovered LDAP SRV records from ipadomain.net (domain of the hostname) 2015-09-11T16:24:05Z INFO IPA Server: dc1.ipadomain.net 2015-09-11T16:24:05Z DEBUG IPA Server source: Discovered from LDAP DNS records in dc1.ipadomain.net 2015-09-11T16:24:05Z INFO BaseDN: dc=ipadomain,dc=net 2015-09-11T16:24:05Z DEBUG BaseDN source: From IPA server ldap://dc1.ipadomain.net:389 2015-09-11T16:24:05Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r ipadomain.net 2015-09-11T16:24:05Z DEBUG stdout= 2015-09-11T16:24:05Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2015-09-11T16:24:05Z DEBUG args=/bin/hostname ipaclient.ipadomain.net 2015-09-11T16:24:05Z DEBUG stdout= 2015-09-11T16:24:05Z DEBUG stderr= 2015-09-11T16:24:05Z DEBUG Backing up system configuration file '/etc/sysconfig/network' 2015-09-11T16:24:05Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:05Z DEBUG args=/usr/sbin/selinuxenabled 2015-09-11T16:24:05Z DEBUG stdout= 2015-09-11T16:24:05Z DEBUG stderr= 2015-09-11T16:24:05Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:05Z INFO Synchronizing time with KDC... 2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of _ntp._udp.ipadomain.net. 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ntp._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:dc1.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG DNS record found: DNSResult::name:_ntp._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:dc2.ipadomain.net.} 2015-09-11T16:24:05Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v dc1.ipadomain.net 2015-09-11T16:24:05Z DEBUG stdout= 2015-09-11T16:24:05Z DEBUG stderr= 2015-09-11T16:24:05Z DEBUG Writing Kerberos configuration to /tmp/tmpfa2hME: 2015-09-11T16:24:05Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = ipadomain.net dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] ipadomain.net = { kdc = dc1.ipadomain.net:88 master_kdc = dc1.ipadomain.net:88 admin_server = dc1.ipadomain.net:749 default_domain = ipadomain.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipadomain.net = ipadomain.net ipadomain.net = ipadomain.net 2015-09-11T16:24:05Z DEBUG args=kinit joinscript at ipadomain.net 2015-09-11T16:24:05Z DEBUG stdout=Password for joinscript at ipadomain.net: 2015-09-11T16:24:05Z DEBUG stderr= 2015-09-11T16:24:05Z DEBUG trying to retrieve CA cert via LDAP from ldap://dc1.ipadomain.net 2015-09-11T16:24:06Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ipadomain.net Issuer: CN=Certificate Authority,O=ipadomain.net Valid From: Wed Mar 25 18:48:27 2015 UTC Valid Until: Sun Mar 25 18:48:27 2035 UTC 2015-09-11T16:24:07Z DEBUG args=/usr/sbin/ipa-join -s dc1.ipadomain.net -b dc=ipadomain,dc=net -h ipaclient.ipadomain.net -f 2015-09-11T16:24:07Z DEBUG stdout= 2015-09-11T16:24:07Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=ipadomain.net 2015-09-11T16:24:07Z INFO Enrolled in IPA realm ipadomain.net 2015-09-11T16:24:07Z DEBUG args=kdestroy 2015-09-11T16:24:07Z DEBUG stdout= 2015-09-11T16:24:07Z DEBUG stderr= 2015-09-11T16:24:07Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:07Z DEBUG stdout= 2015-09-11T16:24:07Z DEBUG stderr= 2015-09-11T16:24:07Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2015-09-11T16:24:07Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2015-09-11T16:24:07Z INFO Created /etc/ipa/default.conf 2015-09-11T16:24:07Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' 2015-09-11T16:24:07Z DEBUG args=klist -V 2015-09-11T16:24:07Z DEBUG stdout=Kerberos 5 version 1.10.3 2015-09-11T16:24:07Z DEBUG stderr= 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' 2015-09-11T16:24:07Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' 2015-09-11T16:24:08Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2015-09-11T16:24:08Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2015-09-11T16:24:08Z INFO New SSSD config will be created 2015-09-11T16:24:08Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2015-09-11T16:24:08Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:08Z INFO Configured sudoers in /etc/nsswitch.conf 2015-09-11T16:24:08Z INFO Configured /etc/sssd/sssd.conf 2015-09-11T16:24:08Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2015-09-11T16:24:08Z DEBUG stdout= 2015-09-11T16:24:08Z DEBUG stderr= 2015-09-11T16:24:08Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2015-09-11T16:24:08Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:08Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2015-09-11T16:24:08Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = ipadomain.net dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] ipadomain.net = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipadomain.net = ipadomain.net ipadomain.net = ipadomain.net 2015-09-11T16:24:08Z INFO Configured /etc/krb5.conf for IPA realm ipadomain.net 2015-09-11T16:24:08Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:08Z DEBUG stdout= 2015-09-11T16:24:08Z DEBUG stderr=keyctl_search: Required key not available 2015-09-11T16:24:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:09Z DEBUG stdout= 2015-09-11T16:24:09Z DEBUG stderr=keyctl_search: Required key not available 2015-09-11T16:24:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipaclient.ipadomain.net at ipadomain.net' 2015-09-11T16:24:09Z INFO trying https://dc1.ipadomain.net/ipa/xml 2015-09-11T16:24:09Z DEBUG NSSConnection init dc1.ipadomain.net 2015-09-11T16:24:09Z DEBUG Connecting: 10.21.0.99:0 2015-09-11T16:24:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=ipadomain.net Validity: Not Before: Wed Mar 25 18:49:48 2015 UTC Not After: Sat Mar 25 18:49:48 2017 UTC Subject: CN=dc1.ipadomain.net,O=ipadomain.net Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ac:d1:8b:93:de:09:72:e1:2e:48:fd:6b:a0:5a:e2:2b: af:b8:fa:c1:d7:e1:da:a3:8f:1f:4b:a7:47:cf:d1:8c: 32:77:37:7e:3b:73:ce:77:c6:74:f9:1e:4e:83:1d:f8: 18:d2:10:2b:a9:42:d0:6d:8c:45:36:52:d7:82:2f:da: a7:18:3a:7b:c5:9b:34:e5:87:e3:45:12:61:34:50:cc: d7:40:27:22:ce:f4:22:e9:1d:3b:3c:13:bb:14:32:c3: a8:0e:b1:85:a1:7e:28:11:92:6c:1e:40:01:98:eb:00: f2:cc:06:22:84:40:93:6a:a3:29:df:c0:5f:36:28:a4: c2:ae:89:c9:32:46:2b:8d:08:cc:15:99:2b:e9:05:10: fb:7e:af:6d:7d:0c:37:80:56:1e:fd:d7:06:e8:ff:04: 28:87:d8:8c:57:0a:cc:02:af:bc:be:92:cd:ee:a6:c8: 1a:8f:2a:0e:31:24:86:f5:68:95:08:d0:d6:97:80:e8: 3e:ee:4a:aa:f5:40:6b:e2:2a:84:71:1b:85:a8:92:70: 0b:2b:b2:c5:d0:5d:9e:c3:29:6c:3d:ac:12:e2:1c:c2: 16:f0:d2:6d:7e:06:90:b6:a2:ac:f9:7f:bf:d3:fc:a2: 5c:41:18:c4:69:84:25:73:8c:e1:e5:5e:4f:1a:ae:ef Exponent: 65537 (0x10001) Signed Extensions: (6) Name: Certificate Authority Key Identifier Critical: False Key ID: cd:7d:41:02:e9:c8:84:1b:4d:0e:f0:7f:63:7a:48:c1: 65:eb:9b:60 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Critical: False CRL Distribution Points: [1 total] Point [1]: General Names: [1 total] http://ipa-ca.ipadomain.net/ipa/crl/MasterCRL.bin Issuer: Directory Name: CN=Certificate Authority,O=ipaca Reasons: () Name: Certificate Subject Key ID Critical: False Data: 54:fc:0c:52:ce:43:8e:e2:db:b7:cb:96:9f:96:13:b0: 19:a1:b7:c6 Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 05:c1:eb:67:84:5f:f9:65:f1:7f:8a:07:0c:0b:98:14: 78:df:65:b4:e2:a4:4f:9b:83:31:21:63:d7:d1:e3:bc: b8:cd:30:bc:9c:11:e3:2c:a7:e8:ec:41:7d:d3:29:a4: 4c:42:d1:a3:86:a5:84:84:f7:12:70:a3:99:44:26:46: 34:b7:eb:89:3e:02:b3:a4:e7:43:f6:34:91:41:99:66: 37:96:e0:83:17:90:2c:e3:a4:f8:fd:3b:5d:a9:c6:a2: 96:29:21:9c:90:da:2f:c3:83:17:6e:3c:32:fb:e4:55: aa:65:28:b0:b6:eb:0f:25:63:2b:76:4a:88:f4:52:96: 45:33:96:cd:12:17:f4:a8:af:99:14:b2:76:ce:85:5a: aa:ca:73:ea:16:7c:2b:4e:03:81:11:d8:c1:de:d4:96: 21:eb:d6:a5:61:ca:fd:b2:e9:a3:be:1c:59:bf:e9:d5: a5:73:15:99:d7:a4:8b:2d:46:df:e3:f2:b7:38:de:2c: b5:66:58:33:37:a7:6c:5a:3c:ce:5c:11:b2:88:15:77: 7f:6c:e8:7a:37:7a:b2:d7:39:3b:9a:de:ff:10:ad:40: 4b:95:58:26:f1:07:61:90:00:45:37:9a:d9:a7:42:26: 21:ed:ca:54:a9:3e:18:04:3e:aa:a8:a2:9c:94:c2:70 Fingerprint (MD5): 00:88:e0:87:e7:a9:3a:08:d1:f4:4c:e0:57:e9:c9:6e Fingerprint (SHA1): 6e:d8:f8:7b:44:63:47:84:8c:97:58:14:d8:a0:8e:aa: a8:3b:8c:aa 2015-09-11T16:24:09Z DEBUG approved_usage = SSLServer intended_usage = SSLServer 2015-09-11T16:24:09Z DEBUG cert valid True for "CN=dc1.ipadomain.net,O=ipadomain.net" 2015-09-11T16:24:09Z DEBUG handshake complete, peer = 10.21.0.99:443 2015-09-11T16:24:10Z DEBUG received Set-Cookie 'ipa_session=1509570e24e6e2a523849d0eaefc3284; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:09 GMT; Secure; HttpOnly' 2015-09-11T16:24:10Z DEBUG storing cookie 'ipa_session=1509570e24e6e2a523849d0eaefc3284; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:09 GMT; Secure; HttpOnly' for principal host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG stdout= 2015-09-11T16:24:10Z DEBUG stderr=keyctl_search: Required key not available 2015-09-11T16:24:10Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG stdout= 2015-09-11T16:24:10Z DEBUG stderr=keyctl_search: Required key not available 2015-09-11T16:24:10Z DEBUG args=keyctl padd user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net @s 2015-09-11T16:24:10Z DEBUG stdout=371130706 2015-09-11T16:24:10Z DEBUG stderr= 2015-09-11T16:24:10Z DEBUG Created connection context.xmlclient 2015-09-11T16:24:10Z DEBUG raw: env(None, server=True) 2015-09-11T16:24:10Z DEBUG env(None, server=True, all=True) 2015-09-11T16:24:10Z INFO Forwarding 'env' to server u'https://dc1.ipadomain.net/ipa/xml' 2015-09-11T16:24:10Z DEBUG NSSConnection init dc1.ipadomain.net 2015-09-11T16:24:10Z DEBUG Connecting: 10.21.0.99:0 2015-09-11T16:24:10Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=ipadomain.net Validity: Not Before: Wed Mar 25 18:49:48 2015 UTC Not After: Sat Mar 25 18:49:48 2017 UTC Subject: CN=dc1.ipadomain.net,O=ipadomain.net Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ac:d1:8b:93:de:09:72:e1:2e:48:fd:6b:a0:5a:e2:2b: af:b8:fa:c1:d7:e1:da:a3:8f:1f:4b:a7:47:cf:d1:8c: 32:77:37:7e:3b:73:ce:77:c6:74:f9:1e:4e:83:1d:f8: 18:d2:10:2b:a9:42:d0:6d:8c:45:36:52:d7:82:2f:da: a7:18:3a:7b:c5:9b:34:e5:87:e3:45:12:61:34:50:cc: d7:40:27:22:ce:f4:22:e9:1d:3b:3c:13:bb:14:32:c3: a8:0e:b1:85:a1:7e:28:11:92:6c:1e:40:01:98:eb:00: f2:cc:06:22:84:40:93:6a:a3:29:df:c0:5f:36:28:a4: c2:ae:89:c9:32:46:2b:8d:08:cc:15:99:2b:e9:05:10: fb:7e:af:6d:7d:0c:37:80:56:1e:fd:d7:06:e8:ff:04: 28:87:d8:8c:57:0a:cc:02:af:bc:be:92:cd:ee:a6:c8: 1a:8f:2a:0e:31:24:86:f5:68:95:08:d0:d6:97:80:e8: 3e:ee:4a:aa:f5:40:6b:e2:2a:84:71:1b:85:a8:92:70: 0b:2b:b2:c5:d0:5d:9e:c3:29:6c:3d:ac:12:e2:1c:c2: 16:f0:d2:6d:7e:06:90:b6:a2:ac:f9:7f:bf:d3:fc:a2: 5c:41:18:c4:69:84:25:73:8c:e1:e5:5e:4f:1a:ae:ef Exponent: 65537 (0x10001) Signed Extensions: (6) Name: Certificate Authority Key Identifier Critical: False Key ID: cd:7d:41:02:e9:c8:84:1b:4d:0e:f0:7f:63:7a:48:c1: 65:eb:9b:60 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Critical: False CRL Distribution Points: [1 total] Point [1]: General Names: [1 total] http://ipa-ca.ipadomain.net/ipa/crl/MasterCRL.bin Issuer: Directory Name: CN=Certificate Authority,O=ipaca Reasons: () Name: Certificate Subject Key ID Critical: False Data: 54:fc:0c:52:ce:43:8e:e2:db:b7:cb:96:9f:96:13:b0: 19:a1:b7:c6 Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 05:c1:eb:67:84:5f:f9:65:f1:7f:8a:07:0c:0b:98:14: 78:df:65:b4:e2:a4:4f:9b:83:31:21:63:d7:d1:e3:bc: b8:cd:30:bc:9c:11:e3:2c:a7:e8:ec:41:7d:d3:29:a4: 4c:42:d1:a3:86:a5:84:84:f7:12:70:a3:99:44:26:46: 34:b7:eb:89:3e:02:b3:a4:e7:43:f6:34:91:41:99:66: 37:96:e0:83:17:90:2c:e3:a4:f8:fd:3b:5d:a9:c6:a2: 96:29:21:9c:90:da:2f:c3:83:17:6e:3c:32:fb:e4:55: aa:65:28:b0:b6:eb:0f:25:63:2b:76:4a:88:f4:52:96: 45:33:96:cd:12:17:f4:a8:af:99:14:b2:76:ce:85:5a: aa:ca:73:ea:16:7c:2b:4e:03:81:11:d8:c1:de:d4:96: 21:eb:d6:a5:61:ca:fd:b2:e9:a3:be:1c:59:bf:e9:d5: a5:73:15:99:d7:a4:8b:2d:46:df:e3:f2:b7:38:de:2c: b5:66:58:33:37:a7:6c:5a:3c:ce:5c:11:b2:88:15:77: 7f:6c:e8:7a:37:7a:b2:d7:39:3b:9a:de:ff:10:ad:40: 4b:95:58:26:f1:07:61:90:00:45:37:9a:d9:a7:42:26: 21:ed:ca:54:a9:3e:18:04:3e:aa:a8:a2:9c:94:c2:70 Fingerprint (MD5): 00:88:e0:87:e7:a9:3a:08:d1:f4:4c:e0:57:e9:c9:6e Fingerprint (SHA1): 6e:d8:f8:7b:44:63:47:84:8c:97:58:14:d8:a0:8e:aa: a8:3b:8c:aa 2015-09-11T16:24:10Z DEBUG approved_usage = SSLServer intended_usage = SSLServer 2015-09-11T16:24:10Z DEBUG cert valid True for "CN=dc1.ipadomain.net,O=ipadomain.net" 2015-09-11T16:24:10Z DEBUG handshake complete, peer = 10.21.0.99:443 2015-09-11T16:24:10Z DEBUG received Set-Cookie 'ipa_session=c95bf33d955de3ac42471d808c43ac90; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:10 GMT; Secure; HttpOnly' 2015-09-11T16:24:10Z DEBUG storing cookie 'ipa_session=c95bf33d955de3ac42471d808c43ac90; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:10 GMT; Secure; HttpOnly' for principal host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG stdout=371130706 2015-09-11T16:24:10Z DEBUG stderr= 2015-09-11T16:24:10Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:10Z DEBUG stdout=371130706 2015-09-11T16:24:10Z DEBUG stderr= 2015-09-11T16:24:10Z DEBUG args=keyctl pupdate 371130706 2015-09-11T16:24:10Z DEBUG stdout= 2015-09-11T16:24:10Z DEBUG stderr= 2015-09-11T16:24:10Z WARNING Hostname (ipaclient.ipadomain.net) not found in DNS 2015-09-11T16:24:10Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2015-09-11T16:24:10Z DEBUG zone ipadomain.net. update delete ipaclient.ipadomain.net. IN A send update add ipaclient.ipadomain.net. 1200 IN A 10.178.37.49 send 2015-09-11T16:24:11Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2015-09-11T16:24:11Z DEBUG stdout= 2015-09-11T16:24:11Z DEBUG stderr= 2015-09-11T16:24:11Z INFO DNS server record set to: ipaclient.ipadomain.net -> 10.178.37.49 2015-09-11T16:24:11Z DEBUG args=/sbin/service messagebus start 2015-09-11T16:24:11Z DEBUG stdout=Starting system message bus: 2015-09-11T16:24:11Z DEBUG stderr= 2015-09-11T16:24:11Z DEBUG args=/sbin/service messagebus status 2015-09-11T16:24:11Z DEBUG stdout=messagebus (pid 4923) is running... 2015-09-11T16:24:11Z DEBUG stderr= 2015-09-11T16:24:11Z DEBUG args=/sbin/service certmonger restart 2015-09-11T16:24:11Z DEBUG stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] 2015-09-11T16:24:11Z DEBUG stderr= 2015-09-11T16:24:11Z DEBUG args=/sbin/service certmonger status 2015-09-11T16:24:11Z DEBUG stdout=certmonger (pid 2604) is running... 2015-09-11T16:24:11Z DEBUG stderr= 2015-09-11T16:24:15Z DEBUG args=/sbin/service certmonger stop 2015-09-11T16:24:15Z DEBUG stdout=Stopping certmonger: [ OK ] 2015-09-11T16:24:15Z DEBUG stderr= 2015-09-11T16:24:19Z DEBUG args=/sbin/service certmonger restart 2015-09-11T16:24:19Z DEBUG stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] 2015-09-11T16:24:19Z DEBUG stderr= 2015-09-11T16:24:19Z DEBUG args=/sbin/service certmonger status 2015-09-11T16:24:19Z DEBUG stdout=certmonger (pid 2669) is running... 2015-09-11T16:24:19Z DEBUG stderr= 2015-09-11T16:24:19Z DEBUG args=/sbin/chkconfig certmonger on 2015-09-11T16:24:19Z DEBUG stdout= 2015-09-11T16:24:19Z DEBUG stderr= 2015-09-11T16:24:22Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - ipaclient.ipadomain.net -N CN=ipaclient.ipadomain.net,O=ipadomain.net -K host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:22Z DEBUG stdout=New signing request "20150911162421" added. 2015-09-11T16:24:22Z DEBUG stderr= 2015-09-11T16:24:22Z INFO Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub 2015-09-11T16:24:22Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2015-09-11T16:24:22Z DEBUG raw: host_mod(u'ipaclient.ipadomain.net', ipasshpubkey=[u'ssh-dss AAAAB3NzaC1kc3MAAACBAJGrv+zwBF4eML1Kl3wezXIKb6JHxDck8xqZizCxN7JD3IcJBCWU11w8O7ZrKgLm1x7Eu7Ztd7IRCHHyrv+GRC8W76vms9guupvPikfz94DGiQbj+NSG0yOX2kNJuSMya5zctzygsTrWQesL9t+RVNn5Z/TWSJj2QXpzWwXxCh/JAAAAFQCVD4id71lkdvtguRT0uyjvbd+wTwAAAIAHJwMvVemce0Tsxl9cisjsUWRx75R42pelGOtN0/gpbfEMIDFVG9nNB+xdoVzo0xZHe3t4uybOohB5m7QvPeNSiTvMokfqJYnle7F1OK/KGRIq32z8vpV3ldVcN/6dno8Lf3za3taqKqL8C5BfALmO2YAsh+1T+rkpJijxqYJIGgAAAIBbc2PSnSbKl0jhdy7dyYcQCSGZ2J4xJaP5fZvm8N7yiNXmoGETiWL+oWo9AYmsrrN70KSFceKAsWCcoMxFuDcuRNYH/8Lu85Wh2tIWiKgtYum6hpFsMTPvlvc++bJBMzCITjfraxENTcjzMFdP/kBDLpGQOxtlfsFX+HTyBwLynQ==', u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxFZBLiL1qo7ZgBiCFhGMmfKESbXr8aC2DmAy0pCg/VtmFWRC/QeWxceM6uhQaDedWOOcsHstT+0RThWrlDq4zUWqFaBx1jNqIj2TJa2wK0BtZrM/DvrnhgovGbiFxYwa/Cl/rlYwNj2v7f3+YItXl9iyxKqdF6kcFloPQeTGafUjx36RDWwk+SL3PeyqsszDEEQuSqRK1ZVShEpQYsVQo/bbP6Juyj3drFo9dIEVZw651whiv+wofKSCU8FD9PYFIqk2ncktPYMq/KBmHflfNl2jvYUUmldwlj1C8EhQ0zQBTZu1/HLrjPJVhOXHQ29D5uvmrR4cTqMZ+XibD7nz0w=='], updatedns=False) 2015-09-11T16:24:22Z DEBUG host_mod(u'ipaclient.ipadomain.net', random=False, ipasshpubkey=(u'ssh-dss AAAAB3NzaC1kc3MAAACBAJGrv+zwBF4eML1Kl3wezXIKb6JHxDck8xqZizCxN7JD3IcJBCWU11w8O7ZrKgLm1x7Eu7Ztd7IRCHHyrv+GRC8W76vms9guupvPikfz94DGiQbj+NSG0yOX2kNJuSMya5zctzygsTrWQesL9t+RVNn5Z/TWSJj2QXpzWwXxCh/JAAAAFQCVD4id71lkdvtguRT0uyjvbd+wTwAAAIAHJwMvVemce0Tsxl9cisjsUWRx75R42pelGOtN0/gpbfEMIDFVG9nNB+xdoVzo0xZHe3t4uybOohB5m7QvPeNSiTvMokfqJYnle7F1OK/KGRIq32z8vpV3ldVcN/6dno8Lf3za3taqKqL8C5BfALmO2YAsh+1T+rkpJijxqYJIGgAAAIBbc2PSnSbKl0jhdy7dyYcQCSGZ2J4xJaP5fZvm8N7yiNXmoGETiWL+oWo9AYmsrrN70KSFceKAsWCcoMxFuDcuRNYH/8Lu85Wh2tIWiKgtYum6hpFsMTPvlvc++bJBMzCITjfraxENTcjzMFdP/kBDLpGQOxtlfsFX+HTyBwLynQ==', u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxFZBLiL1qo7ZgBiCFhGMmfKESbXr8aC2DmAy0pCg/VtmFWRC/QeWxceM6uhQaDedWOOcsHstT+0RThWrlDq4zUWqFaBx1jNqIj2TJa2wK0BtZrM/DvrnhgovGbiFxYwa/Cl/rlYwNj2v7f3+YItXl9iyxKqdF6kcFloPQeTGafUjx36RDWwk+SL3PeyqsszDEEQuSqRK1ZVShEpQYsVQo/bbP6Juyj3drFo9dIEVZw651whiv+wofKSCU8FD9PYFIqk2ncktPYMq/KBmHflfNl2jvYUUmldwlj1C8EhQ0zQBTZu1/HLrjPJVhOXHQ29D5uvmrR4cTqMZ+XibD7nz0w=='), rights=False, updatedns=False, all=False, raw=False, no_members=False) 2015-09-11T16:24:22Z INFO Forwarding 'host_mod' to server u'https://dc1.ipadomain.net/ipa/xml' 2015-09-11T16:24:22Z DEBUG NSSConnection init dc1.ipadomain.net 2015-09-11T16:24:22Z DEBUG Connecting: 10.21.0.99:0 2015-09-11T16:24:22Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=ipadomain.net Validity: Not Before: Wed Mar 25 18:49:48 2015 UTC Not After: Sat Mar 25 18:49:48 2017 UTC Subject: CN=dc1.ipadomain.net,O=ipadomain.net Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ac:d1:8b:93:de:09:72:e1:2e:48:fd:6b:a0:5a:e2:2b: af:b8:fa:c1:d7:e1:da:a3:8f:1f:4b:a7:47:cf:d1:8c: 32:77:37:7e:3b:73:ce:77:c6:74:f9:1e:4e:83:1d:f8: 18:d2:10:2b:a9:42:d0:6d:8c:45:36:52:d7:82:2f:da: a7:18:3a:7b:c5:9b:34:e5:87:e3:45:12:61:34:50:cc: d7:40:27:22:ce:f4:22:e9:1d:3b:3c:13:bb:14:32:c3: a8:0e:b1:85:a1:7e:28:11:92:6c:1e:40:01:98:eb:00: f2:cc:06:22:84:40:93:6a:a3:29:df:c0:5f:36:28:a4: c2:ae:89:c9:32:46:2b:8d:08:cc:15:99:2b:e9:05:10: fb:7e:af:6d:7d:0c:37:80:56:1e:fd:d7:06:e8:ff:04: 28:87:d8:8c:57:0a:cc:02:af:bc:be:92:cd:ee:a6:c8: 1a:8f:2a:0e:31:24:86:f5:68:95:08:d0:d6:97:80:e8: 3e:ee:4a:aa:f5:40:6b:e2:2a:84:71:1b:85:a8:92:70: 0b:2b:b2:c5:d0:5d:9e:c3:29:6c:3d:ac:12:e2:1c:c2: 16:f0:d2:6d:7e:06:90:b6:a2:ac:f9:7f:bf:d3:fc:a2: 5c:41:18:c4:69:84:25:73:8c:e1:e5:5e:4f:1a:ae:ef Exponent: 65537 (0x10001) Signed Extensions: (6) Name: Certificate Authority Key Identifier Critical: False Key ID: cd:7d:41:02:e9:c8:84:1b:4d:0e:f0:7f:63:7a:48:c1: 65:eb:9b:60 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Critical: False CRL Distribution Points: [1 total] Point [1]: General Names: [1 total] http://ipa-ca.ipadomain.net/ipa/crl/MasterCRL.bin Issuer: Directory Name: CN=Certificate Authority,O=ipaca Reasons: () Name: Certificate Subject Key ID Critical: False Data: 54:fc:0c:52:ce:43:8e:e2:db:b7:cb:96:9f:96:13:b0: 19:a1:b7:c6 Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 05:c1:eb:67:84:5f:f9:65:f1:7f:8a:07:0c:0b:98:14: 78:df:65:b4:e2:a4:4f:9b:83:31:21:63:d7:d1:e3:bc: b8:cd:30:bc:9c:11:e3:2c:a7:e8:ec:41:7d:d3:29:a4: 4c:42:d1:a3:86:a5:84:84:f7:12:70:a3:99:44:26:46: 34:b7:eb:89:3e:02:b3:a4:e7:43:f6:34:91:41:99:66: 37:96:e0:83:17:90:2c:e3:a4:f8:fd:3b:5d:a9:c6:a2: 96:29:21:9c:90:da:2f:c3:83:17:6e:3c:32:fb:e4:55: aa:65:28:b0:b6:eb:0f:25:63:2b:76:4a:88:f4:52:96: 45:33:96:cd:12:17:f4:a8:af:99:14:b2:76:ce:85:5a: aa:ca:73:ea:16:7c:2b:4e:03:81:11:d8:c1:de:d4:96: 21:eb:d6:a5:61:ca:fd:b2:e9:a3:be:1c:59:bf:e9:d5: a5:73:15:99:d7:a4:8b:2d:46:df:e3:f2:b7:38:de:2c: b5:66:58:33:37:a7:6c:5a:3c:ce:5c:11:b2:88:15:77: 7f:6c:e8:7a:37:7a:b2:d7:39:3b:9a:de:ff:10:ad:40: 4b:95:58:26:f1:07:61:90:00:45:37:9a:d9:a7:42:26: 21:ed:ca:54:a9:3e:18:04:3e:aa:a8:a2:9c:94:c2:70 Fingerprint (MD5): 00:88:e0:87:e7:a9:3a:08:d1:f4:4c:e0:57:e9:c9:6e Fingerprint (SHA1): 6e:d8:f8:7b:44:63:47:84:8c:97:58:14:d8:a0:8e:aa: a8:3b:8c:aa 2015-09-11T16:24:22Z DEBUG approved_usage = SSLServer intended_usage = SSLServer 2015-09-11T16:24:22Z DEBUG cert valid True for "CN=dc1.ipadomain.net,O=ipadomain.net" 2015-09-11T16:24:22Z DEBUG handshake complete, peer = 10.21.0.99:443 2015-09-11T16:24:22Z DEBUG received Set-Cookie 'ipa_session=cd117f44aa3f0e864e08d44d907e41b8; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:22 GMT; Secure; HttpOnly' 2015-09-11T16:24:22Z DEBUG storing cookie 'ipa_session=cd117f44aa3f0e864e08d44d907e41b8; Domain=dc1.ipadomain.net; Path=/ipa; Expires=Fri, 11 Sep 2015 16:44:22 GMT; Secure; HttpOnly' for principal host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:22Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:22Z DEBUG stdout=371130706 2015-09-11T16:24:22Z DEBUG stderr= 2015-09-11T16:24:22Z DEBUG args=keyctl search @s user ipa_session_cookie:host/ipaclient.ipadomain.net at ipadomain.net 2015-09-11T16:24:22Z DEBUG stdout=371130706 2015-09-11T16:24:22Z DEBUG stderr= 2015-09-11T16:24:22Z DEBUG args=keyctl pupdate 371130706 2015-09-11T16:24:22Z DEBUG stdout= 2015-09-11T16:24:22Z DEBUG stderr= 2015-09-11T16:24:22Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2015-09-11T16:24:22Z DEBUG zone ipadomain.net. update delete ipaclient.ipadomain.net. IN SSHFP send update add ipaclient.ipadomain.net. 1200 IN SSHFP 2 1 A26C52744E6753985750E3C2B1C2B10960205317 update add ipaclient.ipadomain.net. 1200 IN SSHFP 1 1 FB6DC352D37F1726884DB2BD2976C8DEB571C3E3 send 2015-09-11T16:24:23Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2015-09-11T16:24:23Z DEBUG stdout= 2015-09-11T16:24:23Z DEBUG stderr= 2015-09-11T16:24:23Z DEBUG args=/sbin/service nscd status 2015-09-11T16:24:23Z DEBUG stdout= 2015-09-11T16:24:23Z DEBUG stderr=nscd: unrecognized service 2015-09-11T16:24:23Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:23Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:23Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:24Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd 2015-09-11T16:24:24Z DEBUG stdout=Starting oddjobd: [ OK ] 2015-09-11T16:24:24Z DEBUG stderr= 2015-09-11T16:24:24Z INFO SSSD enabled 2015-09-11T16:24:24Z INFO Configuring ipadomain.net as NIS domain 2015-09-11T16:24:24Z DEBUG args=/bin/nisdomainname 2015-09-11T16:24:24Z DEBUG stdout=(none) 2015-09-11T16:24:24Z DEBUG stderr= 2015-09-11T16:24:24Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:24Z DEBUG args=/usr/sbin/authconfig --update --nisdomain ipadomain.net 2015-09-11T16:24:24Z DEBUG stdout= 2015-09-11T16:24:24Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG args=/bin/nisdomainname ipadomain.net 2015-09-11T16:24:25Z DEBUG stdout= 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG args=/sbin/service sssd restart 2015-09-11T16:24:25Z DEBUG stdout=Stopping sssd: [FAILED] Starting sssd: [ OK ] 2015-09-11T16:24:25Z DEBUG stderr=cat: /var/run/sssd.pid: No such file or directory 2015-09-11T16:24:25Z DEBUG args=/sbin/service sssd status 2015-09-11T16:24:25Z DEBUG stdout=sssd (pid 2824) is running... 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG args=/sbin/chkconfig sssd on 2015-09-11T16:24:25Z DEBUG stdout= 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG Backing up system configuration file '/etc/openldap/ldap.conf' 2015-09-11T16:24:25Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:25Z INFO Configured /etc/openldap/ldap.conf 2015-09-11T16:24:25Z DEBUG args=getent passwd admin 2015-09-11T16:24:25Z DEBUG stdout=admin:*:756600000:756600000:Administrator:/home/admin:/bin/bash 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG Backing up system configuration file '/etc/ntp/step-tickers' 2015-09-11T16:24:25Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:25Z DEBUG args=/usr/sbin/selinuxenabled 2015-09-11T16:24:25Z DEBUG stdout= 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG args=/sbin/chkconfig ntpd 2015-09-11T16:24:25Z DEBUG stdout= 2015-09-11T16:24:25Z DEBUG stderr= 2015-09-11T16:24:25Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:25Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-09-11T16:24:25Z DEBUG Backing up system configuration file '/etc/ntp.conf' 2015-09-11T16:24:25Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:26Z DEBUG args=/usr/sbin/selinuxenabled 2015-09-11T16:24:26Z DEBUG stdout= 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2015-09-11T16:24:26Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:26Z DEBUG args=/usr/sbin/selinuxenabled 2015-09-11T16:24:26Z DEBUG stdout= 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z DEBUG args=/sbin/chkconfig ntpd on 2015-09-11T16:24:26Z DEBUG stdout= 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z DEBUG args=/sbin/service ntpd restart 2015-09-11T16:24:26Z DEBUG stdout=Shutting down ntpd: [FAILED] Starting ntpd: [ OK ] 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z DEBUG args=/sbin/service ntpd status 2015-09-11T16:24:26Z DEBUG stdout=ntpd (pid 2865) is running... 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z INFO NTP enabled 2015-09-11T16:24:26Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2015-09-11T16:24:26Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:26Z INFO Configured /etc/ssh/ssh_config 2015-09-11T16:24:26Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config' 2015-09-11T16:24:26Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-09-11T16:24:26Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand= 2015-09-11T16:24:26Z DEBUG stdout= 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:26Z INFO Configured /etc/ssh/sshd_config 2015-09-11T16:24:26Z DEBUG args=/sbin/service sshd status 2015-09-11T16:24:26Z DEBUG stdout=openssh-daemon (pid 5057) is running... 2015-09-11T16:24:26Z DEBUG stderr= 2015-09-11T16:24:27Z DEBUG args=/sbin/service sshd restart 2015-09-11T16:24:27Z DEBUG stdout=Stopping sshd: [ OK ] Starting sshd: [ OK ] 2015-09-11T16:24:27Z DEBUG stderr= 2015-09-11T16:24:27Z DEBUG args=/sbin/service sshd status 2015-09-11T16:24:27Z DEBUG stdout=openssh-daemon (pid 2908) is running... 2015-09-11T16:24:27Z DEBUG stderr= 2015-09-11T16:24:27Z INFO Client configuration complete. From simo at redhat.com Fri Sep 11 17:32:26 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 11 Sep 2015 13:32:26 -0400 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: References: Message-ID: <1441992746.29376.27.camel@willson.usersys.redhat.com> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote: > I have been trying to figure this out for a while now but when I join > machine to FreeIPA, the installer properly creates forward DNS > entries,and DNSSSHFP entries, but does not create reverse entries. > Without the PTR records, kerberos logins are always failing on these > machines. I am interested in understanding what fails exactly, stuff should not depend on reverse resolution can you give me an example of a failure ? For the PTR creation anyway have you enabled the option to allow setting PTR records ? There is a global DNS option (As awell as per-zone setting) called "Allow PTR Sync" you may want to enable. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Sep 11 20:24:52 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Sep 2015 23:24:52 +0300 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: References: Message-ID: <20150911202452.GM6168@redhat.com> On Fri, 11 Sep 2015, Morgan Marodin wrote: >Hi everyone. > >I've seen these guides: >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html >https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html >https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ > >But I've not been able to access via ssh to a freeipa client with kerberos >tickets. >I've also tried to install MIT kerberos to my windows 8.1, but doesn't >works too. This is not required. What Windows 8.1 version you have? Is it a Pro edition (the other editions don't join AD)? >The target freeipa client is a RHEL 6.7 like distribution. > >Naturally trying with AD username (name.surname at mydomain.com) and password >is ok. > >Do you have any suggestions for this problem? Enable DEBUG3 level logging in sshd_config for SSH server, attempt to login from Windows client and show the logs around 'userok' in the resulting debug output. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Sep 11 20:34:03 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Sep 2015 23:34:03 +0300 Subject: [Freeipa-users] AD Trust Issues In-Reply-To: References: Message-ID: <20150911203403.GN6168@redhat.com> On Fri, 11 Sep 2015, Matt Wells wrote: >I've been working on an AD trust with our freeipa servers but have run into >some of the same issues others have had. >It's well documented here however I feel I've mitigated these - >https://bugzilla.redhat.com/show_bug.cgi?id=1219832 > >Freeipa Servers are Fedora 22 / freeipa-server-4.2.0 >The Samba version i'm on is well past the patched version. It seems the >patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the patch >is in this version). > >I run ># echo Password123 | ipa trust-add --type=ad ad.example.com --trust-secret >ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc This was looking like a partial fix. The full fix is in Fedora 23 with FreeIPA 4.2.1 release (we didn't yet officially announced it). We were all busy at FreeIPA/SSSD gathering in Brno this week so there wasn't really time to do Fedora 22 backport of the fixes yet. -- / Alexander Bokovoy From prasun.gera at gmail.com Fri Sep 11 20:40:03 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 11 Sep 2015 13:40:03 -0700 Subject: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM In-Reply-To: References: Message-ID: Has this got anything to do with ipa ? The messages started only recently, which makes me think that it's not a hardware issue. There were only two notable changes to this system recently. The hdd had to be replaced, and a replica was set up. Could either have any part to play ? On Thu, Sep 10, 2015 at 6:03 AM, Prasun Gera wrote: > The hardware is not very old (ivybridge). The entries appear every few > minutes in the log. The /etc/ntp.conf has not been modified manually. It > lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are > also a couple of additional local servers with the comment added by > /sbin/dhclient-script. The replica on the same network with an identical > ntp.conf file doesn't have these messages in the current log. However, if I > go back to a week, I see similar messages there too. The ping to public > ntp servers varies from to a few ms to ~50 ms. The ping to local servers is > under 1 ms. I followed steps from the first link (ntpd -qg), and the > messages have stopped for now, but I suspect that they will reappear later. > That's what happened last time I tried that solution. This is the output > from ntpq -pn on the master: > > remote refid st t when poll reach delay offset > jitter > > ============================================================================== > +38.229.71.1 204.123.2.5 2 u 39 64 377 44.300 -1311.8 > 7.668 > +64.6.144.6 128.252.19.1 2 u 25 64 377 38.184 -1327.6 > 12.615 > -129.250.35.251 200.98.196.212 2 u 30 64 377 14.649 -1318.8 > 7.079 > 127.127.1.0 .LOCL. 10 l - 64 0 0.000 0.000 > 0.000 > *localnetip1 localnetref1 2 u 55 64 377 0.349 -1316.0 8.264 > -localnetip2 localnetref2 3 u 64 64 377 0.459 -1309.6 10.516 > > > On Thu, Sep 10, 2015 at 5:27 AM, Andrew Holway > wrote: > >> If could be the server is trying to access the time server over a heavily >> congested network which could cause these types of problems. >> >> >> How old is the hardware? >> How often to these entries appear in the log? >> What is the ping / traceroute to the time server you are using? >> Are there any other machines on the same local network that are using >> this timeserver? Do they have problems? >> >> >> >> >> On 10 September 2015 at 14:18, Prasun Gera wrote: >> >>> So I did a bit of googling and tinker panic 0 only makes sense for >>> virtual machines. Is there any way to confirm if it is indeed a hardware >>> issue ? >>> >>> On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway >>> wrote: >>> >>>> Thats odd. You would normally not need it on bare metal. It could be >>>> broken hardware. >>>> >>>> On 10 September 2015 at 14:05, Prasun Gera >>>> wrote: >>>> >>>>> Thanks. I'm not virtualizing though. Should I still add it ? >>>>> >>>>> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway < >>>>> andrew.holway at gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I assume you are virtualising. >>>>>> >>>>>> Try adding "tinker panic 0" to /etc/ntp.conf. >>>>>> >>>>>> It should make it tolerant to heavily drifting virtual clocks. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Andrew >>>>>> >>>>>> On 10 September 2015 at 13:46, Prasun Gera >>>>>> wrote: >>>>>> >>>>>>> OS: RHEL 7.1 w IDM >>>>>>> >>>>>>> I'm seeing these messages in my master's log messages. I don't know >>>>>>> if it's related, but I think I started seeing them after I set up a >>>>>>> replica. Everything seems to be working fine, but I'm worried that things >>>>>>> will break if delta grows beyond a point. I tried steps in >>>>>>> https://access.redhat.com/solutions/35640, but it didn't really >>>>>>> help. The messages still appear regularly in the log. >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Fri Sep 11 23:12:08 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Fri, 11 Sep 2015 23:12:08 +0000 Subject: [Freeipa-users] Search 'hosts' Message-ID: ipa-server-4.1.0-18.el7_1.4.x86_64 Maybe I was spoiled but from the web ui, I can't seem to search for hosts or DNS names - all searches seem to return nothing at all User searches work (thankfully) Previous version 3.0.0 from RHEL6 I could just put in ipa and get the hosts listed that had ipa in them. Is it just me? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png at 01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7660 bytes Desc: image001.png URL: From jcnt at use.startmail.com Fri Sep 11 23:19:47 2015 From: jcnt at use.startmail.com (jcnt at use.startmail.com) Date: Fri, 11 Sep 2015 19:19:47 -0400 Subject: [Freeipa-users] vsftpd PAM setup problem Message-ID: Hi All, I am using RHEL 7 with ipa server and vsftpd - no modifications to installed packages whatsoever. Local users (listed in /etc/passwd) can login using ftp client but ipa defined users get login denied. Here is the snippet from /var/log/audit/audit.log type=USER_AUTH msg=audit(1442012213.988:24095): pid=27280 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="admin" exe="/usr/sbin/vsftpd" hostname=::ffff:192.168.1.11 addr=::ffff:192.168.1.11 terminal=ftp res=failed' for local account: type=USER_AUTH msg=audit(1442012143.221:24056): pid=27173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="jcnt" exe="/usr/sbin/vsftpd" hostname=::ffff:192.168.1.11 addr=::ffff:192.168.1.11 terminal=ftp res=success' Grantors value is missing when ipa defined user is processed ... admin user uses default HBAC - all hosts all services. Identical behavior on a test system running CentOS 7. I found similar subject thread https://www.redhat.com/archives/freeipa-users/2014-October/msg00479.html but seems not applicable, I haven't touched /tmp permissions/ownership. -- Josh. From nathan at nathanpeters.com Sat Sep 12 05:41:46 2015 From: nathan at nathanpeters.com (Nathan Peters) Date: Fri, 11 Sep 2015 22:41:46 -0700 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: <1441992746.29376.27.camel@willson.usersys.redhat.com> References: <1441992746.29376.27.camel@willson.usersys.redhat.com> Message-ID: <55F3BB1A.6090304@nathanpeters.com> On 9/11/2015 10:32 AM, Simo Sorce wrote: > On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote: >> I have been trying to figure this out for a while now but when I join >> machine to FreeIPA, the installer properly creates forward DNS >> entries,and DNSSSHFP entries, but does not create reverse entries. >> Without the PTR records, kerberos logins are always failing on these >> machines. > I am interested in understanding what fails exactly, stuff should not > depend on reverse resolution can you give me an example of a failure ? > > For the PTR creation anyway have you enabled the option to allow setting > PTR records ? > There is a global DNS option (As awell as per-zone setting) called > "Allow PTR Sync" you may want to enable. > When we attempt to login using kerberos on a machine that has no reverse DNS entry defined, we are instead prompted with a password prompt. The password authentication still works but the ticket does not. From what I read, the Allow PTR Sync option is only used in conjunction with DNS IP address changes and does not apply to the initial join of the domain. Is the joining process supposed to create reverse DNS entries for the clients or just forward entries and SSHFP entries? From natxo.asenjo at gmail.com Sat Sep 12 07:43:29 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 12 Sep 2015 09:43:29 +0200 Subject: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1 Message-ID: hi, In a test network I followed the procedure especified in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html to migrate from a centos 6.7 ipa server to a new centos 7 ipa server. Everything went fine, I shutdown the centos 6.7 host and i can kinit to the test realm like before with everything being handled by the centos 7.1 ipa server. Unfortunately, firefox is not loading the web ui with the message: An error occurred during a connection to kdc2.unix.domain.tld. The OCSP server experienced an internal error. (Error code: sec_error_ocsp_server_error) Chrome works fine, it does not query the ocsp responder apparently. If I turn off the ocsp queries in firefox, everything works. So how can I troubleshoot this? I have turned off the firewall in the centos 7.1 hosts, selinux is permissive. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sat Sep 12 07:51:23 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 12 Sep 2015 09:51:23 +0200 Subject: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1 In-Reply-To: References: Message-ID: On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo wrote: > hi, > > In a test network I followed the procedure especified in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > to migrate from a centos 6.7 ipa server to a new centos 7 ipa server. > > Everything went fine, I shutdown the centos 6.7 host and i can kinit to > the test realm like before with everything being handled by the centos 7.1 > ipa server. > > Unfortunately, firefox is not loading the web ui with the message: > > An error occurred during a connection to kdc2.unix.domain.tld. The OCSP > server experienced an internal error. (Error code: > sec_error_ocsp_server_error) > > > Chrome works fine, it does not query the ocsp responder apparently. If I > turn off the ocsp queries in firefox, everything works. > > So how can I troubleshoot this? I have turned off the firewall in the > centos 7.1 hosts, selinux is permissive. > ok, so I found something: $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout -text | grep -i ocsp OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp so it's pointing to the centos 6.7 box, and that one is gone. That's why it's not working. Shouldn't the certificates be modified or recreated when decommissioning replicas? I must have done something wrong when decommissioning the server ... Anyway, I created an A record for kdc1 pointing to kdc2 and now it's working, but I wonder if this is the 'right' approach. -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sat Sep 12 10:18:20 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 12 Sep 2015 12:18:20 +0200 Subject: [Freeipa-users] ipa-client-install --request-cert fails Message-ID: hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed but no other clue as to what went wrong. How can I troubleshoot this? Thanks! -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at interlinx.bc.ca Sat Sep 12 12:57:59 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Sat, 12 Sep 2015 08:57:59 -0400 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate Message-ID: <1442062679.4520.24.camel@interlinx.bc.ca> Due to the bug in mod_nss that prevents SNI from functioning (i.e. limits a port to a single certificate) I need to add SANs (SubjectAltName) to the certificate that freeipa created for the webserver (Server-Cert) so that I can add more virtual hosts to the same Apache instance (yes, I know this is not advised but budgetary constraints are at play here). How do I go about that? Do I want to resubmit the certificate request with some -D alt.name1 -D alt.name2, etc. parameters as such: # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 Is that the correct operation? If so, is there anything more I need to do after that? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From natxo.asenjo at gmail.com Sat Sep 12 13:14:35 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 12 Sep 2015 15:14:35 +0200 Subject: [Freeipa-users] ipa-client-install --request-cert fails In-Reply-To: References: Message-ID: On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo wrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not certificate is present. > > In the ipaclient-install.log file I see this: > > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed > it's not working when joining a centos 6.7 realm either, same error. -- regards, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Sat Sep 12 20:42:50 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Sat, 12 Sep 2015 22:42:50 +0200 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: <55F3BB1A.6090304@nathanpeters.com> References: <1441992746.29376.27.camel@willson.usersys.redhat.com> <55F3BB1A.6090304@nathanpeters.com> Message-ID: Hi, I've seen the same issue recently on various clients using ipa 3.3 and ipa 4.* during the first join on a clean OS. Can't confirm it was working before. Is it normal behavior? Allow PTR sync is enabled. Cheers, Le 12 sept. 2015 7:44 AM, "Nathan Peters" a ?crit : > > On 9/11/2015 10:32 AM, Simo Sorce wrote: > >> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote: >> >>> I have been trying to figure this out for a while now but when I join >>> machine to FreeIPA, the installer properly creates forward DNS >>> entries,and DNSSSHFP entries, but does not create reverse entries. >>> Without the PTR records, kerberos logins are always failing on these >>> machines. >>> >> I am interested in understanding what fails exactly, stuff should not >> depend on reverse resolution can you give me an example of a failure ? >> >> For the PTR creation anyway have you enabled the option to allow setting >> PTR records ? >> There is a global DNS option (As awell as per-zone setting) called >> "Allow PTR Sync" you may want to enable. >> >> > When we attempt to login using kerberos on a machine that has no reverse > DNS entry defined, we are instead prompted with a password prompt. The > password authentication still works but the ticket does not. > > From what I read, the Allow PTR Sync option is only used in conjunction > with DNS IP address changes and does not apply to the initial join of the > domain. > > Is the joining process supposed to create reverse DNS entries for the > clients or just forward entries and SSHFP entries? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Sun Sep 13 14:33:04 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 13 Sep 2015 07:33:04 -0700 Subject: [Freeipa-users] V6 and v4 Message-ID: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Thank you ~J From jhrozek at redhat.com Sun Sep 13 20:42:31 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 13 Sep 2015 22:42:31 +0200 Subject: [Freeipa-users] vsftpd PAM setup problem In-Reply-To: References: Message-ID: <20150913204231.GA22176@Jakubs-MacBook-Pro.local> On Fri, Sep 11, 2015 at 07:19:47PM -0400, jcnt at use.startmail.com wrote: > Hi All, > > I am using RHEL 7 with ipa server and vsftpd - no modifications to installed packages whatsoever. > Local users (listed in /etc/passwd) can login using ftp client but ipa defined users get login denied. Here is the snippet from /var/log/audit/audit.log > type=USER_AUTH msg=audit(1442012213.988:24095): pid=27280 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="admin" exe="/usr/sbin/vsftpd" hostname=::ffff:192.168.1.11 addr=::ffff:192.168.1.11 terminal=ftp res=failed' > > for local account: > type=USER_AUTH msg=audit(1442012143.221:24056): pid=27173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="jcnt" exe="/usr/sbin/vsftpd" hostname=::ffff:192.168.1.11 addr=::ffff:192.168.1.11 terminal=ftp res=success' > > Grantors value is missing when ipa defined user is processed ... > > admin user uses default HBAC - all hosts all services. > > Identical behavior on a test system running CentOS 7. > > I found similar subject thread https://www.redhat.com/archives/freeipa-users/2014-October/msg00479.html but seems not applicable, I haven't touched /tmp permissions/ownership. Is there anything for /var/log/secure for vsftpd ? I would look for messages from pam_sss.so From mkosek at redhat.com Mon Sep 14 06:18:02 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Sep 2015 08:18:02 +0200 Subject: [Freeipa-users] Search 'hosts' In-Reply-To: References: Message-ID: <55F6669A.4010704@redhat.com> On 09/12/2015 01:12 AM, Craig White wrote: > ipa-server-4.1.0-18.el7_1.4.x86_64 > > Maybe I was spoiled but from the web ui, I can't seem to search for hosts or DNS names - all searches seem to return nothing at all > > User searches work (thankfully) > > Previous version 3.0.0 from RHEL6 I could just put in ipa and get the hosts listed that had ipa in them. > > Is it just me? > > Craig White > System Administrator > O 623-201-8179 M 602-377-9752 > > [cid:image001.png at 01CF86FE.42D51630] > > SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 Hello Craig, I think you are hitting https://fedorahosted.org/freeipa/ticket/5167 This particular host-find search should be fixed in RHEL-7.2. There was an overly strict fix of a CVE, resulting in non-ideal general searches that are used in Web UI, causing 0 returned results. The general case is tracked in https://fedorahosted.org/freeipa/ticket/5168 We plan to fix this on the 389-DS level, Thierry (CCed) will file the DS ticket. However, if you are interested in having this update in RHEL as asynchronous update and you have a subscription, please file a customer case :-) From mkosek at redhat.com Mon Sep 14 06:26:38 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Sep 2015 08:26:38 +0200 Subject: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1 In-Reply-To: References: Message-ID: <55F6689E.8000107@redhat.com> On 09/12/2015 09:51 AM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo > wrote: > >> hi, >> >> In a test network I followed the procedure especified in >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> to migrate from a centos 6.7 ipa server to a new centos 7 ipa server. >> >> Everything went fine, I shutdown the centos 6.7 host and i can kinit to >> the test realm like before with everything being handled by the centos 7.1 >> ipa server. >> >> Unfortunately, firefox is not loading the web ui with the message: >> >> An error occurred during a connection to kdc2.unix.domain.tld. The OCSP >> server experienced an internal error. (Error code: >> sec_error_ocsp_server_error) >> >> >> Chrome works fine, it does not query the ocsp responder apparently. If I >> turn off the ocsp queries in firefox, everything works. >> >> So how can I troubleshoot this? I have turned off the firewall in the >> centos 7.1 hosts, selinux is permissive. >> > > ok, so I found something: > > $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout > -text | grep -i ocsp > OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp > > so it's pointing to the centos 6.7 box, and that one is gone. That's why > it's not working. > > Shouldn't the certificates be modified or recreated when decommissioning > replicas? I must have done something wrong when decommissioning the server > ... > > Anyway, I created an A record for kdc1 pointing to kdc2 and now it's > working, but I wonder if this is the 'right' approach. Hello Natxo, During migration, certificates are not touched. This is a bug/deficiency in FreeIPA in RHEL-6.x, it uses the issuing FreeIPA hostname as the CRL/OCSP contact. This should be fully fixed in FreeIPA 3.2 or later, see upstream ticket (and linked design page): https://fedorahosted.org/freeipa/ticket/3547 In the RHEL-7 versions, certificates should be pointing to the joint name "ipa-ca.DOMAIN" pointing to FreeIPA servers with CA. What you can do now is to either keep the "A" record as you already have, or alternatively you can re-issue certificates ("ipa-getcert resubmit") that are pointing to the RHEL-6 machine. HTH, Martin From mkosek at redhat.com Mon Sep 14 06:28:36 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Sep 2015 08:28:36 +0200 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate In-Reply-To: <1442062679.4520.24.camel@interlinx.bc.ca> References: <1442062679.4520.24.camel@interlinx.bc.ca> Message-ID: <55F66914.3020404@redhat.com> On 09/12/2015 02:57 PM, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more virtual hosts to the > same Apache instance (yes, I know this is not advised but budgetary > constraints are at play here). > > How do I go about that? Do I want to resubmit the certificate request > with some -D alt.name1 -D alt.name2, etc. parameters as such: > > # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 > > Is that the correct operation? If so, is there anything more I need to > do after that? > > Cheers, > b. Hello, It is the right way to do it AFAIK, however it would only work with FreeIPA 4.0 or older: https://fedorahosted.org/freeipa/ticket/3977 Speaking in RHEL/CentOS versions, this is 7.1 or older. From mkosek at redhat.com Mon Sep 14 06:31:27 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Sep 2015 08:31:27 +0200 Subject: [Freeipa-users] ipa-client-install --request-cert fails In-Reply-To: References: Message-ID: <55F669BF.2070907@redhat.com> On 09/12/2015 03:14 PM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > >> hi, >> >> on a a centos 7.1 host when enrolling it with (among other) the switch >> --request-cert it does not create a host certificate for it. The host is >> properly joined but not certificate is present. >> >> In the ipaclient-install.log file I see this: >> >> 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed >> > > it's not working when joining a centos 6.7 realm either, same error. We would need more debug messages from the client log or the server apache log to see what's wrong. You can also try to "ipa-getcert request" a new certificate and see what is the response from the server, why the request failed. CCing Jan for reference. From dkupka at redhat.com Mon Sep 14 06:32:42 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 14 Sep 2015 08:32:42 +0200 Subject: [Freeipa-users] V6 and v4 In-Reply-To: References: Message-ID: <55F66A0A.80704@redhat.com> On 13/09/15 16:33, Janelle wrote: > Hello, > > I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? > > Thank you > ~J > > > Hello Janelle, I do not now about any performance issue with disabled IPv6. Only case that came to my mind would be having AAAA records in DNS and not having corresponding IPv6 on that host but that is general misconfiguration. -- David Kupka From mkosek at redhat.com Mon Sep 14 06:32:49 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Sep 2015 08:32:49 +0200 Subject: [Freeipa-users] V6 and v4 In-Reply-To: References: Message-ID: <55F66A11.6000708@redhat.com> On 09/13/2015 04:33 PM, Janelle wrote: > Hello, > > I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? > > Thank you > ~J The only area where I recall disabled IPv6 causing trouble is http://www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage Maybe Jan or Alexander knows more. From abokovoy at redhat.com Mon Sep 14 06:46:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Sep 2015 09:46:30 +0300 Subject: [Freeipa-users] V6 and v4 In-Reply-To: References: Message-ID: <20150914064630.GP6168@redhat.com> On Sun, 13 Sep 2015, Janelle wrote: >Hello, > >I read something recently that if ip v6 is disable on a server this >hurts performance in some way? Is there more info on this or did I >misread it? Do not disable IPv6 stack on your machines. By disabling IPv6 you are not doing good. On contrary, many contemporary software projects are using IPv6-enabled network calls by default because both IPv6 and IPv4 share the same name space on the machine so you only need to listen on a IPv6 port to accept both IPv4 and IPv6. This is a recommended approach for networking applications' developers for years already. Note that this means only that support for IPv6 stack is enabled in the kernel. You are not required to go with IPv6 networking addresses, this is not really needed if you don't want to. But allowing applications to be IPv6 aware is required. FreeIPA has several components which are programmed in such way that they expect IPv6 stack to be enabled for reasons outlined above. If you disable IPv6 stack, FreeIPA will partially malfunction and will not really be in a supported state, especially when we are talking about trusts to Active Directory (and, in future, IPA to IPA trust). -- / Alexander Bokovoy From mbasti at redhat.com Mon Sep 14 07:03:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 14 Sep 2015 09:03:02 +0200 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: References: <1441992746.29376.27.camel@willson.usersys.redhat.com> <55F3BB1A.6090304@nathanpeters.com> Message-ID: <55F67126.7030802@redhat.com> Hi, can you check the journalctl -u named(-pkcs11) on server, they might be errors why PTR record has not been added. Do you have enabled dynamic updates for the reverse zone? Martin On 09/12/2015 10:42 PM, Youenn PIOLET wrote: > > Hi, > > I've seen the same issue recently on various clients using ipa 3.3 and > ipa 4.* during the first join on a clean OS. Can't confirm it was > working before. Is it normal behavior? > > Allow PTR sync is enabled. > > Cheers, > > Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a ?crit : > > > On 9/11/2015 10:32 AM, Simo Sorce wrote: > > On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com > wrote: > > I have been trying to figure this out for a while now but > when I join > machine to FreeIPA, the installer properly creates forward DNS > entries,and DNSSSHFP entries, but does not create reverse > entries. > Without the PTR records, kerberos logins are always > failing on these > machines. > > I am interested in understanding what fails exactly, stuff > should not > depend on reverse resolution can you give me an example of a > failure ? > > For the PTR creation anyway have you enabled the option to > allow setting > PTR records ? > There is a global DNS option (As awell as per-zone setting) called > "Allow PTR Sync" you may want to enable. > > > When we attempt to login using kerberos on a machine that has no > reverse DNS entry defined, we are instead prompted with a password > prompt. The password authentication still works but the ticket > does not. > > >From what I read, the Allow PTR Sync option is only used in > conjunction with DNS IP address changes and does not apply to the > initial join of the domain. > > Is the joining process supposed to create reverse DNS entries for > the clients or just forward entries and SSHFP entries? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From morgan at marodin.it Mon Sep 14 07:24:15 2015 From: morgan at marodin.it (Morgan Marodin) Date: Mon, 14 Sep 2015 09:24:15 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: <20150911202452.GM6168@redhat.com> References: <20150911202452.GM6168@redhat.com> Message-ID: The Pro edition. I've solved my connection problem, I have to specify manually the username ( name.surname at ad_domain.com) with Microsoft SSPI. In this mode is ok, but using Putty "Use system username" do not works for me. I don't know why :) Bye, Morgan 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy : > On Fri, 11 Sep 2015, Morgan Marodin wrote: > >> Hi everyone. >> >> I've seen these guides: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html >> >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html >> >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ >> >> But I've not been able to access via ssh to a freeipa client with kerberos >> tickets. >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't >> works too. >> > This is not required. > > What Windows 8.1 version you have? Is it a Pro edition (the other > editions don't join AD)? > > The target freeipa client is a RHEL 6.7 like distribution. >> >> Naturally trying with AD username (name.surname at mydomain.com) and >> password >> is ok. >> >> Do you have any suggestions for this problem? >> > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to > login from Windows client and show the logs around 'userok' in the > resulting debug output. > > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Sep 14 07:46:38 2015 From: sbose at redhat.com (Sumit Bose) Date: Mon, 14 Sep 2015 09:46:38 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: References: <20150911202452.GM6168@redhat.com> Message-ID: <20150914074638.GD3123@p.redhat.com> On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote: > The Pro edition. > > I've solved my connection problem, I have to specify manually the username ( > name.surname at ad_domain.com) with Microsoft SSPI. > In this mode is ok, but using Putty "Use system username" do not works for > me. iirc putty strips the domain part '@ad_domain.com' here and only uses 'name.surname' to log into a client. Since by default we require a fully-qualified name which include to domain part to avoid ambiguity the login fails. HTH bye, Sumit > > > I don't know why :) > Bye, Morgan > > 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy : > > > On Fri, 11 Sep 2015, Morgan Marodin wrote: > > > >> Hi everyone. > >> > >> I've seen these guides: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html > >> > >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html > >> > >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ > >> > >> But I've not been able to access via ssh to a freeipa client with kerberos > >> tickets. > >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't > >> works too. > >> > > This is not required. > > > > What Windows 8.1 version you have? Is it a Pro edition (the other > > editions don't join AD)? > > > > The target freeipa client is a RHEL 6.7 like distribution. > >> > >> Naturally trying with AD username (name.surname at mydomain.com) and > >> password > >> is ok. > >> > >> Do you have any suggestions for this problem? > >> > > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to > > login from Windows client and show the logs around 'userok' in the > > resulting debug output. > > > > -- > > / Alexander Bokovoy > > > > > > -- > Morgan Marodin > email: morgan at marodin.it > mobile: +39.3477829069 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Mon Sep 14 07:48:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Sep 2015 10:48:25 +0300 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: References: <20150911202452.GM6168@redhat.com> Message-ID: <20150914074825.GR6168@redhat.com> On Mon, 14 Sep 2015, Morgan Marodin wrote: >The Pro edition. > >I've solved my connection problem, I have to specify manually the username ( >name.surname at ad_domain.com) with Microsoft SSPI. >In this mode is ok, but using Putty "Use system username" do not works for >me. > > >I don't know why :) A problem is in the fact that when you use PuTTY's 'use system username', it does only provide unqualified name there, e.g. Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA client side AD users are fully qualified and thus a user you are trying to login to (Administrator) is not the same as the user you are (Adminsitrator at ad.test). -- / Alexander Bokovoy From jpazdziora at redhat.com Mon Sep 14 07:59:40 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 14 Sep 2015 09:59:40 +0200 Subject: [Freeipa-users] ipa-client-install --request-cert fails In-Reply-To: References: Message-ID: <20150914075940.GI15811@redhat.com> On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > --request-cert it does not create a host certificate for it. The host is > > properly joined but not certificate is present. > > > > In the ipaclient-install.log file I see this: > > > > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed > > it's not working when joining a centos 6.7 realm either, same error. Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed https://bugzilla.redhat.com/show_bug.cgi?id=1262718 now. Thank you for bringing this to our attention. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From tbordaz at redhat.com Mon Sep 14 08:36:45 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 14 Sep 2015 10:36:45 +0200 Subject: [Freeipa-users] Search 'hosts' In-Reply-To: <55F6669A.4010704@redhat.com> References: <55F6669A.4010704@redhat.com> Message-ID: <55F6871D.3050009@redhat.com> On 09/14/2015 08:18 AM, Martin Kosek wrote: > On 09/12/2015 01:12 AM, Craig White wrote: >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> Maybe I was spoiled but from the web ui, I can't seem to search for hosts or DNS names - all searches seem to return nothing at all >> >> User searches work (thankfully) >> >> Previous version 3.0.0 from RHEL6 I could just put in ipa and get the hosts listed that had ipa in them. >> >> Is it just me? >> >> Craig White >> System Administrator >> O 623-201-8179 M 602-377-9752 >> >> [cid:image001.png at 01CF86FE.42D51630] >> >> SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 > > Hello Craig, > > I think you are hitting > https://fedorahosted.org/freeipa/ticket/5167 > This particular host-find search should be fixed in RHEL-7.2. > > There was an overly strict fix of a CVE, resulting in non-ideal general > searches that are used in Web UI, causing 0 returned results. The general case > is tracked in > https://fedorahosted.org/freeipa/ticket/5168 > > We plan to fix this on the 389-DS level, Thierry (CCed) will file the DS > ticket. However, if you are interested in having this update in RHEL as > asynchronous update and you have a subscription, please file a customer case :-) Hello Craig, The 389-ds ticket is https://fedorahosted.org/389/ticket/48275. It will be triage soon. So far, it still needs some investigations. thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From morgan at marodin.it Mon Sep 14 09:16:57 2015 From: morgan at marodin.it (Morgan Marodin) Date: Mon, 14 Sep 2015 11:16:57 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: <20150914074825.GR6168@redhat.com> References: <20150911202452.GM6168@redhat.com> <20150914074825.GR6168@redhat.com> Message-ID: Ok, but now I've an other problem :) If I disable the default allow_all HBAC rule creating one custom HBAC rule that enable ad_admins to access any host any service, kerberos ticket via ssh does not works. Username/password authentication with the same custom HBAC rules works. SSH logs with kerberos authentication: Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to Administrator at mydomain.com, krb5 principal Administrator at MYDOMAIN.COM (krb5_kuserok) Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access denied for user Administrator at mydomain.com: 6 (Permission denied) Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user Administrator at mydomain.com by PAM account configuration SSH logs with username/password authentication: Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=Administrator at mydomain.com Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= Administrator at mydomain.com Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for Administrator at mydomain.com from 192.168.0.252 port 49590 ssh2 Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session opened for user Administrator at mydomain.com by (uid=0) If I enable allow_all HBAC rule kerberos authentication works. Maybe is there something else to configure? Thanks, Morgan 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > On Mon, 14 Sep 2015, Morgan Marodin wrote: > >> The Pro edition. >> >> I've solved my connection problem, I have to specify manually the >> username ( >> name.surname at ad_domain.com) with Microsoft SSPI. >> In this mode is ok, but using Putty "Use system username" do not works for >> me. >> >> >> I don't know why :) >> > A problem is in the fact that when you use PuTTY's 'use system > username', it does only provide unqualified name there, e.g. > Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA > client side AD users are fully qualified and thus a user you are trying > to login to (Administrator) is not the same as the user you are > (Adminsitrator at ad.test). > -- > / Alexander Bokovoy > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Sep 14 09:35:41 2015 From: sbose at redhat.com (Sumit Bose) Date: Mon, 14 Sep 2015 11:35:41 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: References: <20150911202452.GM6168@redhat.com> <20150914074825.GR6168@redhat.com> Message-ID: <20150914093541.GF3123@p.redhat.com> On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > Ok, but now I've an other problem :) > > If I disable the default allow_all HBAC rule creating one custom HBAC rule > that enable ad_admins to access any host any service, kerberos ticket via > ssh does not works. > Username/password authentication with the same custom HBAC rules works. > > SSH logs with kerberos authentication: > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to > Administrator at mydomain.com, krb5 principal Administrator at MYDOMAIN.COM > (krb5_kuserok) > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access > denied for user Administrator at mydomain.com: 6 (Permission denied) > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user > Administrator at mydomain.com by PAM account configuration > > SSH logs with username/password authentication: > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.0.252 user=Administrator at mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= > Administrator at mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for > Administrator at mydomain.com from 192.168.0.252 port 49590 ssh2 > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session > opened for user Administrator at mydomain.com by (uid=0) > > If I enable allow_all HBAC rule kerberos authentication works. > Maybe is there something else to configure? no, HBAC result should not change depending on the authentication method. Can you send me the SSSD logs with a high debug level (10) for both cases? If you prefer you can send them to me directly. bye, Sumit > > Thanks, Morgan > > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > > > On Mon, 14 Sep 2015, Morgan Marodin wrote: > > > >> The Pro edition. > >> > >> I've solved my connection problem, I have to specify manually the > >> username ( > >> name.surname at ad_domain.com) with Microsoft SSPI. > >> In this mode is ok, but using Putty "Use system username" do not works for > >> me. > >> > >> > >> I don't know why :) > >> > > A problem is in the fact that when you use PuTTY's 'use system > > username', it does only provide unqualified name there, e.g. > > Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA > > client side AD users are fully qualified and thus a user you are trying > > to login to (Administrator) is not the same as the user you are > > (Adminsitrator at ad.test). > > -- > > / Alexander Bokovoy > > > > > > -- > Morgan Marodin > email: morgan at marodin.it > mobile: +39.3477829069 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From brian at interlinx.bc.ca Mon Sep 14 11:05:16 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Mon, 14 Sep 2015 07:05:16 -0400 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate In-Reply-To: <55F66914.3020404@redhat.com> References: <1442062679.4520.24.camel@interlinx.bc.ca> <55F66914.3020404@redhat.com> Message-ID: <1442228716.4520.119.camel@interlinx.bc.ca> On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote: > Hello, Hi, > It is the right way to do it AFAIK, Indeed, no. It's a hack around the lack of SNI support in mod_nss. > however it would only work with FreeIPA 4.0 > or older: > > https://fedorahosted.org/freeipa/ticket/3977 That's right. I don't even know what the workaround would be for older than FreeIPA 4.0. Probably the only choice left there is to run the additional virtual hosts on a port other than 443. But that's an even uglier hack as it's user-facing. > Speaking in RHEL/CentOS versions, this is 7.1 or older. My 7.1 has FreeIPA 4.1. Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From morgan at marodin.it Mon Sep 14 12:44:58 2015 From: morgan at marodin.it (Morgan Marodin) Date: Mon, 14 Sep 2015 14:44:58 +0200 Subject: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets In-Reply-To: <20150914093541.GF3123@p.redhat.com> References: <20150911202452.GM6168@redhat.com> <20150914074825.GR6168@redhat.com> <20150914093541.GF3123@p.redhat.com> Message-ID: Now is working, with the same configuration ... Could it be possibile some delay on the trust if the AD group was a new one? Thanks, Morgan 2015-09-14 11:35 GMT+02:00 Sumit Bose : > On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > > Ok, but now I've an other problem :) > > > > If I disable the default allow_all HBAC rule creating one custom HBAC > rule > > that enable ad_admins to access any host any service, kerberos ticket via > > ssh does not works. > > Username/password authentication with the same custom HBAC rules works. > > > > SSH logs with kerberos authentication: > > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to > > Administrator at mydomain.com, krb5 principal Administrator at MYDOMAIN.COM > > (krb5_kuserok) > > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access > > denied for user Administrator at mydomain.com: 6 (Permission denied) > > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user > > Administrator at mydomain.com by PAM account configuration > > > > SSH logs with username/password authentication: > > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=192.168.0.252 user=Administrator at mydomain.com > > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): > authentication > > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= > > Administrator at mydomain.com > > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for > > Administrator at mydomain.com from 192.168.0.252 port 49590 ssh2 > > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session > > opened for user Administrator at mydomain.com by (uid=0) > > > > If I enable allow_all HBAC rule kerberos authentication works. > > Maybe is there something else to configure? > > no, HBAC result should not change depending on the authentication > method. Can you send me the SSSD logs with a high debug level (10) for > both cases? If you prefer you can send them to me directly. > > bye, > Sumit > > > > > Thanks, Morgan > > > > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > > > > > On Mon, 14 Sep 2015, Morgan Marodin wrote: > > > > > >> The Pro edition. > > >> > > >> I've solved my connection problem, I have to specify manually the > > >> username ( > > >> name.surname at ad_domain.com) with Microsoft SSPI. > > >> In this mode is ok, but using Putty "Use system username" do not > works for > > >> me. > > >> > > >> > > >> I don't know why :) > > >> > > > A problem is in the fact that when you use PuTTY's 'use system > > > username', it does only provide unqualified name there, e.g. > > > Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA > > > client side AD users are fully qualified and thus a user you are trying > > > to login to (Administrator) is not the same as the user you are > > > (Adminsitrator at ad.test). > > > -- > > > / Alexander Bokovoy > > > > > > > > > > > -- > > Morgan Marodin > > email: morgan at marodin.it > > mobile: +39.3477829069 > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Morgan Marodin email: morgan at marodin.it mobile: +39.3477829069 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Mon Sep 14 13:08:11 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Mon, 14 Sep 2015 15:08:11 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: Message-ID: <55F6C6BB.1040902@redhat.com> On 09/11/2015 02:40 PM, Moln?r Domokos wrote: > Full log attached. > "Moln?r Domokos" ?rta: > > > "Pavel B?ezina" ?rta: > > On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > > I have a working IPA server and a working client config on an OpenSuse > > 13.2 with the following versions: > > nappali:~ # rpm -qa |grep sssd > > sssd-tools-1.12.2-3.4.1.i586 > > sssd-krb5-1.12.2-3.4.1.i586 > > python-sssd-config-1.12.2-3.4.1.i586 > > sssd-ipa-1.12.2-3.4.1.i586 > > sssd-1.12.2-3.4.1.i586 > > sssd-dbus-1.12.2-3.4.1.i586 > > sssd-krb5-common-1.12.2-3.4.1.i586 > > sssd-ldap-1.12.2-3.4.1.i586 > > sssd is confihured for nss, pam, sudo > > There is a test sudo rule defined in the ipa server, which applies to > > user "doma". However when the user tries to use sudo the rule does not > > work. > > doma at nappali:/home/doma> sudo ls > > doma's password: > > doma is not allowed to run sudo on nappali. This incident will be reported. > > The corresponding log in the sssd_sudo.log is this: > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [doma] from [] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [doma] from [] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > > disconnected! > > This seems perfectly OK with one exception. The query against the sysdb > > does not find the entry. This is strange because the entry is there. > > Log in sssd.log: > > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > > Running the exact same query seen above in the sssd_sudo.log against the > > db returns: > > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > > asq: Unable to register control with rootdse! > > # record 1 > > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > cn: Doma_ls > > dataExpireTimestamp: 1441830262 > > entryUSN: 20521 > > name: Doma_ls > > objectClass: sudoRule > > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > > sudoCommand: ls > > sudoHost: nappali.szilva > > sudoRunAsGroup: ALL > > sudoRunAsUser: ALL > > sudoUser: doma > > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > # returned 1 records > > # 1 entries > > # 0 referrals > > This confirms that the entry is indeed there in the db. Why is it found > > with ldbsearch and why does sssd_sudo not find it? > > I am pretty much stuck with this one. Anyone has an idea? > > > > > Hi, > this is strange. Can you provide the logs with debug level set to 0x3ff0 > > please? Can you also send it as an attachment? Thanks! > > Sure. Here it is. Now I can see that the rule is returned. The > question is why the rule does not match. Anyway much better :) Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? Debug sudo /var/log/sudo_debug all at trace Run sudo and send us /var/log/sudo_debug? Thanks! From pawel.fiuto at mixrad.io Mon Sep 14 14:01:23 2015 From: pawel.fiuto at mixrad.io (Pawel Fiuto) Date: Mon, 14 Sep 2015 14:01:23 +0000 Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd In-Reply-To: References: Message-ID: Hi Gustavo, Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below modifications seems to work quite well: - on ipa server add permisson to read ipaSshPubKey anonymously: [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig 2c2 < services = nss, pam, ssh --- > services = nss, pam 12c12 < ldap_search_base = cn=accounts,dc=example,dc=org --- > ldap_search_base = cn=compat,dc=example,dc=org 14d13 < ldap_user_ssh_public_key = ipaSshPubKey ________________________________ From: freeipa-users-bounces at redhat.com on behalf of Gustavo Mateus Sent: 11 September 2015 00:30 To: freeipa-users at redhat.com Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt.wells at mosaic451.com Mon Sep 14 14:13:33 2015 From: matt.wells at mosaic451.com (Matt Wells) Date: Mon, 14 Sep 2015 07:13:33 -0700 Subject: [Freeipa-users] AD Trust Issues In-Reply-To: <20150911203403.GN6168@redhat.com> References: <20150911203403.GN6168@redhat.com> Message-ID: Is the fix in CentOS or RHEL yet? On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy wrote: > On Fri, 11 Sep 2015, Matt Wells wrote: > >> I've been working on an AD trust with our freeipa servers but have run >> into >> some of the same issues others have had. >> It's well documented here however I feel I've mitigated these - >> https://bugzilla.redhat.com/show_bug.cgi?id=1219832 >> >> Freeipa Servers are Fedora 22 / freeipa-server-4.2.0 >> The Samba version i'm on is well past the patched version. It seems the >> patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the >> patch >> is in this version). >> >> I run >> # echo Password123 | ipa trust-add --type=ad ad.example.com >> --trust-secret >> ipa: ERROR: CIFS server configuration does not allow access to >> \\pipe\lsarpc >> > This was looking like a partial fix. The full fix is in Fedora 23 with > FreeIPA 4.2.1 release (we didn't yet officially announced it). > > We were all busy at FreeIPA/SSSD gathering in Brno this week so there > wasn't really time to do Fedora 22 backport of the fixes yet. > > -- > / Alexander Bokovoy > -- Matt Wells Chief Systems Architect RHCA, RHCVA - #110-000-353 (702) 808-0424 matt.wells at mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -------------- next part -------------- An HTML attachment was scrubbed... URL: From TMilam at iuhealth.org Mon Sep 14 14:33:57 2015 From: TMilam at iuhealth.org (Milam, Tyler S) Date: Mon, 14 Sep 2015 14:33:57 +0000 Subject: [Freeipa-users] freeIPA or just SSSD? Message-ID: My organization is evaluating new methods of user account provisioning in Linux. What advantages does freeIPA offer over just SSSD? Some background - we use Active Directory for everything but have a small linux footprint (25 servers). However, many services are going to be migrated from AIX to Linux, and this will increase the number of Linux servers to well over 100. I've been testing FreeIPA 4.1.0, but having a hard time determining if sssd by itself is 'enough' or if the additional complexity of setting up FreeIPA with a new DNS zone and a 2-way trust with active directory can be justified. Thanks, Tyler -------------- next part -------------- An HTML attachment was scrubbed... URL: From mheslin at redhat.com Mon Sep 14 16:38:00 2015 From: mheslin at redhat.com (Mark Heslin) Date: Mon, 14 Sep 2015 12:38:00 -0400 Subject: [Freeipa-users] freeIPA or just SSSD? In-Reply-To: References: Message-ID: <55F6F7E8.5070908@redhat.com> Hi Tyler, Some comments below...I'm sure others will chime in :-) On 09/14/2015 10:33 AM, Milam, Tyler S wrote: > > My organization is evaluating new methods of user account provisioning > in Linux. What advantages does freeIPA offer over just SSSD? > Just to be clear, SS SD is the client that can work directly to an existing AD domain, or indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust. When you configure an IdM/FreeIPA client, SSSD is configured (via ipa-client-install or realmd). In short: SSSD -> AD (Direct AD Integration) SSSD -> IdM/FreeIPA (standard configuration) SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect AD integration) In general, Direct AD integration is recommended for small environments with few Linux clients. For larger numbers of clients, indirect AD integration is preferred as it will give you more control, granularity to manage users, hosts, services, certs, keytabs, etc. There are some details that come into play - particularly around which versions of RHEL (or non-RHEL) you're clients are on. Attached is a tech brief we put out for Summit that can help. > Some background ? we use Active Directory for everything but have a > small linux footprint (25 servers). However, many services are going > to be migrated from AIX to Linux, and this will increase the number of > Linux servers to well over 100. > > I?ve been testing FreeIPA 4.1.0, but having a hard time determining if > sssd by itself is ?enough? or if the additional complexity of setting > up FreeIPA with a new DNS zone and a 2-way trust with active directory > can be justified. > > Thanks, > > Tyler > > > -- Mark Heslin Principal Technical Program Manager - EPM Team Red Hat Inc. office: +1 978-392-3125 mobile: +1 603-930-6880 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: AD_Client_Integration_Options-2015-06-23.pdf Type: application/pdf Size: 313206 bytes Desc: not available URL: From gustavo.mateus at gmail.com Mon Sep 14 17:01:57 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Mon, 14 Sep 2015 10:01:57 -0700 Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd In-Reply-To: References: Message-ID: I did not try that setup because the config-redhat-sssd-before-1-9 because its description says it works with version 1.5 - 1.8, and Amazon linux has 1.2 config-redhat-sssd-before-1-9 : Instructions for configuring a system with an old version of SSSD (1.5-1.8) as a IPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. It is good to know that it works. I'll give it a try. Thanks, Gustavo On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto wrote: > Hi Gustavo, > > Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below > modifications seems to work quite well: > > - on ipa server add permisson to read ipaSshPubKey anonymously: > > [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user > --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read > > [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig > 2c2 > < services = nss, pam, ssh > --- > > services = nss, pam > 12c12 > < ldap_search_base = cn=accounts,dc=example,dc=org > --- > > ldap_search_base = cn=compat,dc=example,dc=org > 14d13 > < ldap_user_ssh_public_key = ipaSshPubKey > > > > ------------------------------ > *From:* freeipa-users-bounces at redhat.com > on behalf of Gustavo Mateus > *Sent:* 11 September 2015 00:30 > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using > nss-pam-ldapd > > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc at bhosted.nl Mon Sep 14 17:30:58 2015 From: marc at bhosted.nl (Marc van de Geijn) Date: Mon, 14 Sep 2015 17:30:58 +0000 Subject: [Freeipa-users] PHP example of authenticating to Freeipa api Message-ID: Hi, I've been searching for an PHP example that autheticates to the Freeipa API. Does somebody have working PHP code? I've been trying to het php code working with bits I could find, but it does not work. I want to communicate with Freeipa to add users, change passwords, etc from our administration panel. Kind regards, Marc van de Geijn From janellenicole80 at gmail.com Mon Sep 14 17:34:11 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 14 Sep 2015 10:34:11 -0700 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <20150914064630.GP6168@redhat.com> References: <20150914064630.GP6168@redhat.com> Message-ID: <55F70513.8050804@gmail.com> On 9/13/15 11:46 PM, Alexander Bokovoy wrote: > On Sun, 13 Sep 2015, Janelle wrote: >> Hello, >> >> I read something recently that if ip v6 is disable on a server this >> hurts performance in some way? Is there more info on this or did I >> misread it? > Do not disable IPv6 stack on your machines. By disabling IPv6 you are > not doing good. On contrary, many contemporary software projects are > using IPv6-enabled network calls by default because both IPv6 and IPv4 > share the same name space on the machine so you only need to listen on a > IPv6 port to accept both IPv4 and IPv6. This is a recommended approach > for networking applications' developers for years already. > > Note that this means only that support for IPv6 stack is enabled in the > kernel. You are not required to go with IPv6 networking addresses, this > is not really needed if you don't want to. But allowing applications to > be IPv6 aware is required. > > FreeIPA has several components which are programmed in such way that > they expect IPv6 stack to be enabled for reasons outlined above. If you > disable IPv6 stack, FreeIPA will partially malfunction and will not > really be in a supported state, especially when we are talking about > trusts to Active Directory (and, in future, IPA to IPA trust). > Currently no AD trusts and none planned ever, but based on your suggestions, I will re-enable the v6 stack. thank you ~J From abokovoy at redhat.com Mon Sep 14 17:44:21 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Sep 2015 20:44:21 +0300 Subject: [Freeipa-users] PHP example of authenticating to Freeipa api In-Reply-To: References: Message-ID: <20150914174421.GC6168@redhat.com> On Mon, 14 Sep 2015, Marc van de Geijn wrote: >Hi, > >I've been searching for an PHP example that autheticates to the Freeipa >API. > >Does somebody have working PHP code? I've been trying to het php code >working with bits I could find, but it does not work. > >I want to communicate with Freeipa to add users, change passwords, etc >from our administration panel. Look at session-based authentication that I described at https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ It should work for any programming language as long as you are capable to process cookies and keep the session somewhere. -- / Alexander Bokovoy From jhrozek at redhat.com Mon Sep 14 19:41:33 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 Sep 2015 21:41:33 +0200 Subject: [Freeipa-users] freeIPA or just SSSD? In-Reply-To: <55F6F7E8.5070908@redhat.com> References: <55F6F7E8.5070908@redhat.com> Message-ID: <20150914194133.GB22176@Jakubs-MacBook-Pro.local> On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote: > Hi Tyler, > > Some comments below...I'm sure others will chime in :-) > > On 09/14/2015 10:33 AM, Milam, Tyler S wrote: > > > >My organization is evaluating new methods of user account provisioning in > >Linux. What advantages does freeIPA offer over just SSSD? > > > > Just to be clear, SS > SD is the client that can work directly to an existing AD domain, or > indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust. > When you configure an IdM/FreeIPA client, SSSD is configured (via > ipa-client-install or realmd). In short: > > SSSD -> AD (Direct AD Integration) > SSSD -> IdM/FreeIPA (standard configuration) > SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect > AD integration) > > In general, Direct AD integration is recommended for small environments with > few Linux clients. > For larger numbers of clients, indirect AD integration is preferred as it > will give you more control, granularity > to manage users, hosts, services, certs, keytabs, etc. > > There are some details that come into play - particularly around which > versions of RHEL (or non-RHEL) you're clients are on. > Attached is a tech brief we put out for Summit that can help. Also, there were some blog posts Dmitri wrote up not too long ago that compare direct and indirect integration: http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/ From jcnt at use.startmail.com Tue Sep 15 00:04:09 2015 From: jcnt at use.startmail.com (jcnt at use.startmail.com) Date: Mon, 14 Sep 2015 20:04:09 -0400 Subject: [Freeipa-users] vsftpd PAM setup problem In-Reply-To: References: Message-ID: > Is there anything for /var/log/secure for vsftpd ? I would look for > messages from pam_sss.so Sep 14 19:50:11 fds vsftpd[27097]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::1 user=admin (END) Nothing from pam_sss.so Found a temporary workaround - turn off selinux, pam_sss now shows up in log files and admin login succeeds. Seems like problem is not related to freeipa itself. -- Josh. From nathan at nathanpeters.com Tue Sep 15 01:29:33 2015 From: nathan at nathanpeters.com (Nathan Peters) Date: Mon, 14 Sep 2015 18:29:33 -0700 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: <55F67126.7030802@redhat.com> References: <1441992746.29376.27.camel@willson.usersys.redhat.com> <55F3BB1A.6090304@nathanpeters.com> <55F67126.7030802@redhat.com> Message-ID: <55F7747D.6080604@nathanpeters.com> I think it was not having dynamic updates enabled for the reverse zone. I enabled those and PTR sync on both the forward and reverse and now it seems to be working for a new client that I joined. What I'm not clear on at this point is why that is not a default setting. I know at some point I deleted a /24 reverse zone and made a /16 instead because we have too many /24s to manage efficiently. Also, due to the issues that can arise from not having valid PTR entries, you would think that this would be defaulted to on. On 9/14/2015 12:03 AM, Martin Basti wrote: > Hi, > can you check the journalctl -u named(-pkcs11) on server, they might > be errors why PTR record has not been added. > > Do you have enabled dynamic updates for the reverse zone? > > Martin > > On 09/12/2015 10:42 PM, Youenn PIOLET wrote: >> >> Hi, >> >> I've seen the same issue recently on various clients using ipa 3.3 >> and ipa 4.* during the first join on a clean OS. Can't confirm it was >> working before. Is it normal behavior? >> >> Allow PTR sync is enabled. >> >> Cheers, >> >> Le 12 sept. 2015 7:44 AM, "Nathan Peters" > > a ?crit : >> >> >> On 9/11/2015 10:32 AM, Simo Sorce wrote: >> >> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote: >> >> I have been trying to figure this out for a while now but >> when I join >> machine to FreeIPA, the installer properly creates >> forward DNS >> entries,and DNSSSHFP entries, but does not create reverse >> entries. >> Without the PTR records, kerberos logins are always >> failing on these >> machines. >> >> I am interested in understanding what fails exactly, stuff >> should not >> depend on reverse resolution can you give me an example of a >> failure ? >> >> For the PTR creation anyway have you enabled the option to >> allow setting >> PTR records ? >> There is a global DNS option (As awell as per-zone setting) >> called >> "Allow PTR Sync" you may want to enable. >> >> >> When we attempt to login using kerberos on a machine that has no >> reverse DNS entry defined, we are instead prompted with a >> password prompt. The password authentication still works but the >> ticket does not. >> >> >From what I read, the Allow PTR Sync option is only used in >> conjunction with DNS IP address changes and does not apply to the >> initial join of the domain. >> >> Is the joining process supposed to create reverse DNS entries for >> the clients or just forward entries and SSHFP entries? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kretebe at freemail.hu Tue Sep 15 05:25:17 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Tue, 15 Sep 2015 07:25:17 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <55F6C6BB.1040902@redhat.com> Message-ID: On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >>Full log attached. >>"Moln?r Domokos" ?rta: >> >> >> "Pavel B?ezina" ?rta: >> >> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >> > I have a working IPA server and a working client config on an OpenSuse >> > 13.2 with the following versions: >> > nappali:~ # rpm -qa |grep sssd >> > sssd-tools-1.12.2-3.4.1.i586 >> > sssd-krb5-1.12.2-3.4.1.i586 >> > python-sssd-config-1.12.2-3.4.1.i586 >> > sssd-ipa-1.12.2-3.4.1.i586 >> > sssd-1.12.2-3.4.1.i586 >> > sssd-dbus-1.12.2-3.4.1.i586 >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> > sssd-ldap-1.12.2-3.4.1.i586 >> > sssd is confihured for nss, pam, sudo >> > There is a test sudo rule defined in the ipa server, which applies to >> > user "doma". However when the user tries to use sudo the rule does not >> > work. >> > doma at nappali:/home/doma> sudo ls >> > doma's password: >> > doma is not allowed to run sudo on nappali. This incident will be reported. >> > The corresponding log in the sssd_sudo.log is this: >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> > Received client version [1]. >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> > Offered version [1]. >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> > (0x0200): Requesting default options for [doma] from [] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> > Requesting info about [doma at szilva] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> > (0x0200): Requesting rules for [doma] from [] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> > Requesting info about [doma at szilva] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> > disconnected! >> > This seems perfectly OK with one exception. The query against the sysdb >> > does not find the entry. This is strange because the entry is there. >> > Log in sssd.log: >> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >> > Running the exact same query seen above in the sssd_sudo.log against the >> > db returns: >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >> > asq: Unable to register control with rootdse! >> > # record 1 >> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> > cn: Doma_ls >> > dataExpireTimestamp: 1441830262 >> > entryUSN: 20521 >> > name: Doma_ls >> > objectClass: sudoRule >> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >> > sudoCommand: ls >> > sudoHost: nappali.szilva >> > sudoRunAsGroup: ALL >> > sudoRunAsUser: ALL >> > sudoUser: doma >> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> > # returned 1 records >> > # 1 entries >> > # 0 referrals >> > This confirms that the entry is indeed there in the db. Why is it found >> > with ldbsearch and why does sssd_sudo not find it? >> > I am pretty much stuck with this one. Anyone has an idea? >> > >> > >> Hi, >> this is strange. Can you provide the logs with debug level set to 0x3ff0 >> >> please? Can you also send it as an attachment? Thanks! >> >> Sure. Here it is. Now I can see that the rule is returned. The >> question is why the rule does not match. Anyway much better :) > >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? > >Debug sudo /var/log/sudo_debug all at trace > >Run sudo and send us /var/log/sudo_debug? Thanks Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): Sep 14 22:13:39 sudo[2314] username=doma Sep 14 22:13:39 sudo[2314] domainname=NULL Sep 14 22:13:39 sudo[2314] state |= USERMATCH Sep 14 22:13:39 sudo[2314] Received 1 rule(s) Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries Sep 14 22:13:39 sudo[2314] Done with LDAP searches And here is the code from match.c. bool hostname_matches(const char *shost, const char *lhost, const char *pattern) { debug_decl(hostname_matches, SUDO_DEBUG_MATCH) const char *host; bool rc; host = strchr(pattern, '.') != NULL ? lhost : shost; if (has_meta(pattern)) { rc = !fnmatch(pattern, host, FNM_CASEFOLD); } else { rc = !strcasecmp(host, pattern); } sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, "host %s matches sudoers pattern %s: %s", host, pattern, rc ? "true" : "false"); debug_return_bool(rc); } By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); from line 816 of sudoers.c. I also checked the hosts file and there I do have the 192.168.110.3 nappali nappali.szilva entry. Still stuck whit this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Sep 15 06:37:15 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Sep 2015 08:37:15 +0200 Subject: [Freeipa-users] vsftpd PAM setup problem In-Reply-To: References: Message-ID: <20150915063715.GC2884@hendrix> On Mon, Sep 14, 2015 at 08:04:09PM -0400, jcnt at use.startmail.com wrote: > > Is there anything for /var/log/secure for vsftpd ? I would look for > > messages from pam_sss.so > > Sep 14 19:50:11 fds vsftpd[27097]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::1 user=admin > (END) > > Nothing from pam_sss.so > > Found a temporary workaround - turn off selinux, pam_sss now shows up in log files and admin login succeeds. > Seems like problem is not related to freeipa itself. Posting the AVC might be helpful here -- chances are just some files are mislabaled. I tried a quick: # getsebool -a | grep ftp but didn't find anything relevant that would need toggling to make non-unix auth working. From mkosek at redhat.com Tue Sep 15 06:38:54 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Sep 2015 08:38:54 +0200 Subject: [Freeipa-users] AD Trust Issues In-Reply-To: References: <20150911203403.GN6168@redhat.com> Message-ID: <55F7BCFE.3070409@redhat.com> Rough FreeIPA 4.2.1 equivalent should be in RHEL-7.2 - Beta is already out: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-72-beta-now-available On 09/14/2015 04:13 PM, Matt Wells wrote: > Is the fix in CentOS or RHEL yet? > > On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy > wrote: > >> On Fri, 11 Sep 2015, Matt Wells wrote: >> >>> I've been working on an AD trust with our freeipa servers but have run >>> into >>> some of the same issues others have had. >>> It's well documented here however I feel I've mitigated these - >>> https://bugzilla.redhat.com/show_bug.cgi?id=1219832 >>> >>> Freeipa Servers are Fedora 22 / freeipa-server-4.2.0 >>> The Samba version i'm on is well past the patched version. It seems the >>> patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the >>> patch >>> is in this version). >>> >>> I run >>> # echo Password123 | ipa trust-add --type=ad ad.example.com >>> --trust-secret >>> ipa: ERROR: CIFS server configuration does not allow access to >>> \\pipe\lsarpc >>> >> This was looking like a partial fix. The full fix is in Fedora 23 with >> FreeIPA 4.2.1 release (we didn't yet officially announced it). >> >> We were all busy at FreeIPA/SSSD gathering in Brno this week so there >> wasn't really time to do Fedora 22 backport of the fixes yet. >> >> -- >> / Alexander Bokovoy >> > > > > > From jhrozek at redhat.com Tue Sep 15 06:39:22 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Sep 2015 08:39:22 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: <55F6C6BB.1040902@redhat.com> Message-ID: <20150915063922.GD2884@hendrix> On Tue, Sep 15, 2015 at 07:25:17AM +0200, Moln?r Domokos wrote: > On 09/14/2015 03:08 PM, Pavel B?ezina wrote: > >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: > > >>Full log attached. > >>"Moln?r Domokos" ?rta: > >> > >> > >> "Pavel B?ezina" ?rta: > >> > >> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > >> > I have a working IPA server and a working client config on an OpenSuse > >> > 13.2 with the following versions: > >> > nappali:~ # rpm -qa |grep sssd > >> > sssd-tools-1.12.2-3.4.1.i586 > >> > sssd-krb5-1.12.2-3.4.1.i586 > >> > python-sssd-config-1.12.2-3.4.1.i586 > >> > sssd-ipa-1.12.2-3.4.1.i586 > >> > sssd-1.12.2-3.4.1.i586 > >> > sssd-dbus-1.12.2-3.4.1.i586 > >> > sssd-krb5-common-1.12.2-3.4.1.i586 > >> > sssd-ldap-1.12.2-3.4.1.i586 > >> > sssd is confihured for nss, pam, sudo > >> > There is a test sudo rule defined in the ipa server, which applies to > >> > user "doma". However when the user tries to use sudo the rule does not > >> > work. > >> > doma at nappali:/home/doma> sudo ls > >> > doma's password: > >> > doma is not allowed to run sudo on nappali. This incident will be reported. > >> > The corresponding log in the sssd_sudo.log is this: > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >> > Received client version [1]. > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >> > Offered version [1]. > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> > (0x0200): name 'doma' matched without domain, user is doma > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> > (0x0200): name 'doma' matched without domain, user is doma > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >> > (0x0200): Requesting default options for [doma] from [] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >> > Requesting info about [doma at szilva] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> > [(&(objectClass=sudoRule)(|(name=defaults)))] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> > (0x0200): name 'doma' matched without domain, user is doma > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> > (0x0200): name 'doma' matched without domain, user is doma > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >> > (0x0200): Requesting rules for [doma] from [] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >> > Requesting info about [doma at szilva] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > >> > disconnected! > >> > This seems perfectly OK with one exception. The query against the sysdb > >> > does not find the entry. This is strange because the entry is there. > >> > Log in sssd.log: > >> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > >> > Running the exact same query seen above in the sssd_sudo.log against the > >> > db returns: > >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > >> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > >> > asq: Unable to register control with rootdse! > >> > # record 1 > >> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > >> > cn: Doma_ls > >> > dataExpireTimestamp: 1441830262 > >> > entryUSN: 20521 > >> > name: Doma_ls > >> > objectClass: sudoRule > >> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > >> > sudoCommand: ls > >> > sudoHost: nappali.szilva > >> > sudoRunAsGroup: ALL > >> > sudoRunAsUser: ALL > >> > sudoUser: doma > >> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > >> > # returned 1 records > >> > # 1 entries > >> > # 0 referrals > >> > This confirms that the entry is indeed there in the db. Why is it found > >> > with ldbsearch and why does sssd_sudo not find it? > >> > I am pretty much stuck with this one. Anyone has an idea? > >> > > >> > > >> Hi, > >> this is strange. Can you provide the logs with debug level set to 0x3ff0 > >> > >> please? Can you also send it as an attachment? Thanks! > >> > >> Sure. Here it is. Now I can see that the rule is returned. The > >> question is why the rule does not match. Anyway much better :) > > > > >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? > > > >Debug sudo /var/log/sudo_debug all at trace > > > >Run sudo and send us /var/log/sudo_debug? Thanks > > Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. > > I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): > > Sep 14 22:13:39 sudo[2314] username=doma > Sep 14 22:13:39 sudo[2314] domainname=NULL > Sep 14 22:13:39 sudo[2314] state |= USERMATCH > Sep 14 22:13:39 sudo[2314] Received 1 rule(s) > Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 > Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE > Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 > Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva > Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 > Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 > Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false > Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 > Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false > Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 > Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' > Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false > Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 > Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 > Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false > Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not > Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false > Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 > Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) > Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 > Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) > Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 > Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries > Sep 14 22:13:39 sudo[2314] Done with LDAP searches > > > And here is the code from match.c. > > bool > hostname_matches(const char *shost, const char *lhost, const char *pattern) > { > debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > const char *host; > bool rc; > > host = strchr(pattern, '.') != NULL ? lhost : shost; > if (has_meta(pattern)) { > rc = !fnmatch(pattern, host, FNM_CASEFOLD); > } else { > rc = !strcasecmp(host, pattern); > } > sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > "host %s matches sudoers pattern %s: %s", > host, pattern, rc ? "true" : "false"); > debug_return_bool(rc); > } > > By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the > > log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > > from line 816 of sudoers.c. > > I also checked the hosts file and there I do have the > > 192.168.110.3 nappali nappali.szilva > > entry. > > Still stuck whit this. What is the output of 'hostname' ? I don't think sudo canonicalizes it.. From kretebe at freemail.hu Tue Sep 15 07:10:39 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Tue, 15 Sep 2015 09:10:39 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: Message-ID: "Moln?r Domokos" ?rta: >On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >>On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >>>Full log attached. >>>"Moln?r Domokos" ?rta: >>> >>> >>> "Pavel B?ezina" ?rta: >>> >>> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >>> > I have a working IPA server and a working client config on an OpenSuse >>> > 13.2 with the following versions: >>> > nappali:~ # rpm -qa |grep sssd >>> > sssd-tools-1.12.2-3.4.1.i586 >>> > sssd-krb5-1.12.2-3.4.1.i586 >>> > python-sssd-config-1.12.2-3.4.1.i586 >>> > sssd-ipa-1.12.2-3.4.1.i586 >>> > sssd-1.12.2-3.4.1.i586 >>> > sssd-dbus-1.12.2-3.4.1.i586 >>> > sssd-krb5-common-1.12.2-3.4.1.i586 >>> > sssd-ldap-1.12.2-3.4.1.i586 >>> > sssd is confihured for nss, pam, sudo >>> > There is a test sudo rule defined in the ipa server, which applies to >>> > user "doma". However when the user tries to use sudo the rule does not >>> > work. >>> > doma at nappali:/home/doma> sudo ls >>> > doma's password: >>> > doma is not allowed to run sudo on nappali. This incident will be reported. >>> > The corresponding log in the sssd_sudo.log is this: >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >>> > Received client version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >>> > Offered version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting default options for [doma] from [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> > Requesting info about [doma at szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(name=defaults)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting rules for [doma] from [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> > Requesting info about [doma at szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >>> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >>> > disconnected! >>> > This seems perfectly OK with one exception. The query against the sysdb >>> > does not find the entry. This is strange because the entry is there. >>> > Log in sssd.log: >>> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >>> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >>> > Running the exact same query seen above in the sssd_sudo.log against the >>> > db returns: >>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >>> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >>> > asq: Unable to register control with rootdse! >>> > # record 1 >>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> > cn: Doma_ls >>> > dataExpireTimestamp: 1441830262 >>> > entryUSN: 20521 >>> > name: Doma_ls >>> > objectClass: sudoRule >>> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >>> > sudoCommand: ls >>> > sudoHost: nappali.szilva >>> > sudoRunAsGroup: ALL >>> > sudoRunAsUser: ALL >>> > sudoUser: doma >>> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> > # returned 1 records >>> > # 1 entries >>> > # 0 referrals >>> > This confirms that the entry is indeed there in the db. Why is it found >>> > with ldbsearch and why does sssd_sudo not find it? >>> > I am pretty much stuck with this one. Anyone has an idea? >>> > >>> > >>> Hi, >>> this is strange. Can you provide the logs with debug level set to 0x3ff0 >>> >>> please? Can you also send it as an attachment? Thanks! >>> >>> Sure. Here it is. Now I can see that the rule is returned. The >>> question is why the rule does not match. Anyway much better :) >> >>Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? >> >>Debug sudo /var/log/sudo_debug all at trace >> >>Run sudo and send us /var/log/sudo_debug? Thanks > >Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. > >I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): > >Sep 14 22:13:39 sudo[2314] username=doma >Sep 14 22:13:39 sudo[2314] domainname=NULL >Sep 14 22:13:39 sudo[2314] state |= USERMATCH >Sep 14 22:13:39 sudo[2314] Received 1 rule(s) >Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 >Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE >Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 >Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 >Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 >Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva >Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 >Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 >Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false >Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 >Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false >Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 >Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' >Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false >Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 >Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 >Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false >Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not >Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false >Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 >Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) >Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 >Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) >Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 >Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries >Sep 14 22:13:39 sudo[2314] Done with LDAP searches > > >And here is the code from match.c. > >bool >hostname_matches(const char *shost, const char *lhost, const char *pattern) >{ > debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > const char *host; > bool rc; > > host = strchr(pattern, '.') != NULL ? lhost : shost; > if (has_meta(pattern)) { > rc = !fnmatch(pattern, host, FNM_CASEFOLD); > } else { > rc = !strcasecmp(host, pattern); > } > sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > "host %s matches sudoers pattern %s: %s", > host, pattern, rc ? "true" : "false"); > debug_return_bool(rc); >} > >By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the > >log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > >from line 816 of sudoers.c. > >I also checked the hosts file and there I do have the > >192.168.110.3 nappali nappali.szilva > >entry. > >Still stuck whit this. > On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >Full log attached. >"Moln?r Domokos" ?rta: > > > "Pavel B?ezina" ?rta: > > On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > > I have a working IPA server and a working client config on an OpenSuse > > 13.2 with the following versions: > > nappali:~ # rpm -qa |grep sssd > > sssd-tools-1.12.2-3.4.1.i586 > > sssd-krb5-1.12.2-3.4.1.i586 > > python-sssd-config-1.12.2-3.4.1.i586 > > sssd-ipa-1.12.2-3.4.1.i586 > > sssd-1.12.2-3.4.1.i586 > > sssd-dbus-1.12.2-3.4.1.i586 > > sssd-krb5-common-1.12.2-3.4.1.i586 > > sssd-ldap-1.12.2-3.4.1.i586 > > sssd is confihured for nss, pam, sudo > > There is a test sudo rule defined in the ipa server, which applies to > > user "doma". However when the user tries to use sudo the rule does not > > work. > > doma at nappali:/home/doma> sudo ls > > doma's password: > > doma is not allowed to run sudo on nappali. This incident will be reported. > > The corresponding log in the sssd_sudo.log is this: > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [doma] from [] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [doma] from [] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > > disconnected! > > This seems perfectly OK with one exception. The query against the sysdb > > does not find the entry. This is strange because the entry is there. > > Log in sssd.log: > > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > > Running the exact same query seen above in the sssd_sudo.log against the > > db returns: > > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > > asq: Unable to register control with rootdse! > > # record 1 > > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > cn: Doma_ls > > dataExpireTimestamp: 1441830262 > > entryUSN: 20521 > > name: Doma_ls > > objectClass: sudoRule > > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > > sudoCommand: ls > > sudoHost: nappali.szilva > > sudoRunAsGroup: ALL > > sudoRunAsUser: ALL > > sudoUser: doma > > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > # returned 1 records > > # 1 entries > > # 0 referrals > > This confirms that the entry is indeed there in the db. Why is it found > > with ldbsearch and why does sssd_sudo not find it? > > I am pretty much stuck with this one. Anyone has an idea? > > > > > Hi, > this is strange. Can you provide the logs with debug level set to 0x3ff0 > > please? Can you also send it as an attachment? Thanks! > > Sure. Here it is. Now I can see that the rule is returned. The > question is why the rule does not match. Anyway much better :) > >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? > >Debug sudo /var/log/sudo_debug all at trace > >Run sudo and send us /var/log/sudo_debug? Thanks > >Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. > >I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): > >Sep 14 22:13:39 sudo[2314] username=doma >Sep 14 22:13:39 sudo[2314] domainname=NULL >Sep 14 22:13:39 sudo[2314] state |= USERMATCH >Sep 14 22:13:39 sudo[2314] Received 1 rule(s) >Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 >Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE >Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 >Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 >Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 >Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva >Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 >Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 >Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 >Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) >Sep 14 22:13:39 sudo[2314] >Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries >Sep 14 22:13:39 sudo[2314] Done with LDAP searches > > >And here is the code from match.c. > >bool >hostname_matches(const char *shost, const char *lhost, const char *pattern) >{ > debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > const char *host; > bool rc; > > host = strchr(pattern,'.') != NULL ? lhost : shost; > if (has_meta(pattern)) { > rc = !fnmatch(pattern, host, FNM_CASEFOLD); > } else { > rc = !strcasecmp(host, pattern); > } > sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > "host %s matches sudoers pattern %s: %s", > host, pattern, rc ? "true" : "false"); > debug_return_bool(rc); >} > >By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the > >log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > >from line 816 of sudoers.c. > >I also checked the hosts file and there I do have the > >192.168.110.3 nappali nappali.szilva > >entry. > >Still stuck whit this. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project Additional info. In match.c 780 host = strchr(pattern, '.') != NULL ? lhost : shost; if the pattern contains a '.' then lhost is used, which is then 784 rc = !strcasecmp(host, pattern); compared with the pattern. In our case - from the debug log - host is "nappali" while the pattern is "nappali.szilva". Clearly from some reason lhost does not contain the fqdn as it should. I also tested the set_fqdn at line 806 in sudoers.c with this code: void main(void) { struct addrinfo *res0, hint; char *p; char *user_host, *user_shost; user_host=malloc(500); user_shost=malloc(500); memset(&hint, 0, sizeof(hint)); hint.ai_family = PF_UNSPEC; hint.ai_flags = AI_FQDN; if (getaddrinfo("nappali", NULL, &hint, &res0) != 0) { printf("unable to resolve host %s", user_host); } else { user_host = strdup(res0->ai_canonname); printf ("Canonname, user_host: %s, %s\n",res0->ai_canonname,user_host); if ((p = strchr(user_host, '.')) != NULL) user_shost = strndup(user_host, (size_t)(p - user_host)); else user_shost = user_host; } printf("Shost: %s\n",user_shost); } This outputs on the host in question: doma at nappali:/home/doma> cc test.c doma at nappali:/home/doma> ./a.out Canonname, user_host: nappali.szilva, nappali.szilva Shost: nappali Seems OK. Any idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kretebe at freemail.hu Tue Sep 15 07:13:09 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Tue, 15 Sep 2015 09:13:09 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <20150915063922.GD2884@hendrix> Message-ID: Jakub Hrozek ?rta: >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Moln?r Domokos wrote: >> On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >> >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >> >> >>Full log attached. >> >>"Moln?r Domokos" ?rta: >> >> >> >> >> >> "Pavel B?ezina" ?rta: >> >> >> >> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >> >> > I have a working IPA server and a working client config on an OpenSuse >> >> > 13.2 with the following versions: >> >> > nappali:~ # rpm -qa |grep sssd >> >> > sssd-tools-1.12.2-3.4.1.i586 >> >> > sssd-krb5-1.12.2-3.4.1.i586 >> >> > python-sssd-config-1.12.2-3.4.1.i586 >> >> > sssd-ipa-1.12.2-3.4.1.i586 >> >> > sssd-1.12.2-3.4.1.i586 >> >> > sssd-dbus-1.12.2-3.4.1.i586 >> >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> >> > sssd-ldap-1.12.2-3.4.1.i586 >> >> > sssd is confihured for nss, pam, sudo >> >> > There is a test sudo rule defined in the ipa server, which applies to >> >> > user "doma". However when the user tries to use sudo the rule does not >> >> > work. >> >> > doma at nappali:/home/doma> sudo ls >> >> > doma's password: >> >> > doma is not allowed to run sudo on nappali. This incident will be reported. >> >> > The corresponding log in the sssd_sudo.log is this: >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >> > Received client version [1]. >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >> > Offered version [1]. >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >> > (0x0200): Requesting default options for [doma] from [] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >> > Requesting info about [doma at szilva] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >> > (0x0200): Requesting rules for [doma] from [] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >> > Requesting info about [doma at szilva] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> >> > disconnected! >> >> > This seems perfectly OK with one exception. The query against the sysdb >> >> > does not find the entry. This is strange because the entry is there. >> >> > Log in sssd.log: >> >> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >> >> > Running the exact same query seen above in the sssd_sudo.log against the >> >> > db returns: >> >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >> >> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >> >> > asq: Unable to register control with rootdse! >> >> > # record 1 >> >> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> >> > cn: Doma_ls >> >> > dataExpireTimestamp: 1441830262 >> >> > entryUSN: 20521 >> >> > name: Doma_ls >> >> > objectClass: sudoRule >> >> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >> >> > sudoCommand: ls >> >> > sudoHost: nappali.szilva >> >> > sudoRunAsGroup: ALL >> >> > sudoRunAsUser: ALL >> >> > sudoUser: doma >> >> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> >> > # returned 1 records >> >> > # 1 entries >> >> > # 0 referrals >> >> > This confirms that the entry is indeed there in the db. Why is it found >> >> > with ldbsearch and why does sssd_sudo not find it? >> >> > I am pretty much stuck with this one. Anyone has an idea? >> >> > >> >> > >> >> Hi, >> >> this is strange. Can you provide the logs with debug level set to 0x3ff0 >> >> >> >> please? Can you also send it as an attachment? Thanks! >> >> >> >> Sure. Here it is. Now I can see that the rule is returned. The >> >> question is why the rule does not match. Anyway much better :) >> >> > >> >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? >> > >> >Debug sudo /var/log/sudo_debug all at trace >> > >> >Run sudo and send us /var/log/sudo_debug? Thanks >> >> Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. >> >> I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): >> >> Sep 14 22:13:39 sudo[2314] username=doma >> Sep 14 22:13:39 sudo[2314] domainname=NULL >> Sep 14 22:13:39 sudo[2314] state |= USERMATCH >> Sep 14 22:13:39 sudo[2314] Received 1 rule(s) >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 >> Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE >> Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 >> Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva >> Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 >> Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 >> Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false >> Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 >> Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false >> Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 >> Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' >> Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false >> Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 >> Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 >> Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false >> Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 >> Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 >> Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 >> Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries >> Sep 14 22:13:39 sudo[2314] Done with LDAP searches >> >> >> And here is the code from match.c. >> >> bool >> hostname_matches(const char *shost, const char *lhost, const char *pattern) >> { >> debug_decl(hostname_matches, SUDO_DEBUG_MATCH) >> const char *host; >> bool rc; >> >> host = strchr(pattern, '.') != NULL ? lhost : shost; >> if (has_meta(pattern)) { >> rc = !fnmatch(pattern, host, FNM_CASEFOLD); >> } else { >> rc = !strcasecmp(host, pattern); >> } >> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, >> "host %s matches sudoers pattern %s: %s", >> host, pattern, rc ? "true" : "false"); >> debug_return_bool(rc); >> } >> >> By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the >> >> log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); >> >> from line 816 of sudoers.c. >> >> I also checked the hosts file and there I do have the >> >> 192.168.110.3 nappali nappali.szilva >> >> entry. >> >> Still stuck whit this. > >What is the output of 'hostname' ? > >I don't think sudo canonicalizes it.. > >-- doma at nappali:/home/doma> hostname nappali doma at nappali:/home/doma> hostname --fqdn nappali.szilva -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Sep 15 07:49:33 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 15 Sep 2015 09:49:33 +0200 Subject: [Freeipa-users] ipa-client-install not creating reverse DNS entries In-Reply-To: <55F7747D.6080604@nathanpeters.com> References: <1441992746.29376.27.camel@willson.usersys.redhat.com> <55F3BB1A.6090304@nathanpeters.com> <55F67126.7030802@redhat.com> <55F7747D.6080604@nathanpeters.com> Message-ID: <55F7CD8D.9060904@redhat.com> On 15.9.2015 03:29, Nathan Peters wrote: > I think it was not having dynamic updates enabled for the reverse zone. I Yes, that is it. See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for more details. > enabled those and PTR sync on both the forward and reverse and now it seems to > be working for a new client that I joined. > > What I'm not clear on at this point is why that is not a default setting. I > know at some point I deleted a /24 reverse zone and made a /16 instead because > we have too many /24s to manage efficiently. > > Also, due to the issues that can arise from not having valid PTR entries, you > would think that this would be defaulted to on. Well, it is not enabled by default because values of A/AAAA records (and thus PTR records created by SyncPTR feature) are not validated in any way. It is up to admin to decide if it is acceptable risk or not. Petr^2 Spacek > > On 9/14/2015 12:03 AM, Martin Basti wrote: >> Hi, >> can you check the journalctl -u named(-pkcs11) on server, they might be >> errors why PTR record has not been added. >> >> Do you have enabled dynamic updates for the reverse zone? >> >> Martin >> >> On 09/12/2015 10:42 PM, Youenn PIOLET wrote: >>> >>> Hi, >>> >>> I've seen the same issue recently on various clients using ipa 3.3 and ipa >>> 4.* during the first join on a clean OS. Can't confirm it was working >>> before. Is it normal behavior? >>> >>> Allow PTR sync is enabled. >>> >>> Cheers, >>> >>> Le 12 sept. 2015 7:44 AM, "Nathan Peters" >> > a ?crit : >>> >>> >>> On 9/11/2015 10:32 AM, Simo Sorce wrote: >>> >>> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote: >>> >>> I have been trying to figure this out for a while now but >>> when I join >>> machine to FreeIPA, the installer properly creates >>> forward DNS >>> entries,and DNSSSHFP entries, but does not create reverse >>> entries. >>> Without the PTR records, kerberos logins are always >>> failing on these >>> machines. >>> >>> I am interested in understanding what fails exactly, stuff >>> should not >>> depend on reverse resolution can you give me an example of a >>> failure ? >>> >>> For the PTR creation anyway have you enabled the option to >>> allow setting >>> PTR records ? >>> There is a global DNS option (As awell as per-zone setting) >>> called >>> "Allow PTR Sync" you may want to enable. >>> >>> >>> When we attempt to login using kerberos on a machine that has no >>> reverse DNS entry defined, we are instead prompted with a >>> password prompt. The password authentication still works but the >>> ticket does not. >>> >>> >From what I read, the Allow PTR Sync option is only used in >>> conjunction with DNS IP address changes and does not apply to the >>> initial join of the domain. >>> >>> Is the joining process supposed to create reverse DNS entries for >>> the clients or just forward entries and SSHFP entries? From jhrozek at redhat.com Tue Sep 15 08:07:42 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Sep 2015 10:07:42 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: <20150915063922.GD2884@hendrix> Message-ID: <20150915080742.GF2884@hendrix> On Tue, Sep 15, 2015 at 09:13:09AM +0200, Moln?r Domokos wrote: > > Jakub Hrozek ?rta: > >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Moln?r Domokos wrote: > >> On 09/14/2015 03:08 PM, Pavel B?ezina wrote: > >> >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: > >> > >> >>Full log attached. > >> >>"Moln?r Domokos" ?rta: > >> >> > >> >> > >> >> "Pavel B?ezina" ?rta: > >> >> > >> >> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > >> >> > I have a working IPA server and a working client config on an OpenSuse > >> >> > 13.2 with the following versions: > >> >> > nappali:~ # rpm -qa |grep sssd > >> >> > sssd-tools-1.12.2-3.4.1.i586 > >> >> > sssd-krb5-1.12.2-3.4.1.i586 > >> >> > python-sssd-config-1.12.2-3.4.1.i586 > >> >> > sssd-ipa-1.12.2-3.4.1.i586 > >> >> > sssd-1.12.2-3.4.1.i586 > >> >> > sssd-dbus-1.12.2-3.4.1.i586 > >> >> > sssd-krb5-common-1.12.2-3.4.1.i586 > >> >> > sssd-ldap-1.12.2-3.4.1.i586 > >> >> > sssd is confihured for nss, pam, sudo > >> >> > There is a test sudo rule defined in the ipa server, which applies to > >> >> > user "doma". However when the user tries to use sudo the rule does not > >> >> > work. > >> >> > doma at nappali:/home/doma> sudo ls > >> >> > doma's password: > >> >> > doma is not allowed to run sudo on nappali. This incident will be reported. > >> >> > The corresponding log in the sssd_sudo.log is this: > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >> >> > Received client version [1]. > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >> >> > Offered version [1]. > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> >> > (0x0200): name 'doma' matched without domain, user is doma > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> >> > (0x0200): name 'doma' matched without domain, user is doma > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >> >> > (0x0200): Requesting default options for [doma] from [] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >> >> > Requesting info about [doma at szilva] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> >> > (0x0200): name 'doma' matched without domain, user is doma > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > >> >> > (0x0200): name 'doma' matched without domain, user is doma > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >> >> > (0x0200): Requesting rules for [doma] from [] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >> >> > Requesting info about [doma at szilva] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] > >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > >> >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > >> >> > disconnected! > >> >> > This seems perfectly OK with one exception. The query against the sysdb > >> >> > does not find the entry. This is strange because the entry is there. > >> >> > Log in sssd.log: > >> >> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > >> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > >> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > >> >> > Running the exact same query seen above in the sssd_sudo.log against the > >> >> > db returns: > >> >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > >> >> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > >> >> > asq: Unable to register control with rootdse! > >> >> > # record 1 > >> >> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > >> >> > cn: Doma_ls > >> >> > dataExpireTimestamp: 1441830262 > >> >> > entryUSN: 20521 > >> >> > name: Doma_ls > >> >> > objectClass: sudoRule > >> >> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > >> >> > sudoCommand: ls > >> >> > sudoHost: nappali.szilva > >> >> > sudoRunAsGroup: ALL > >> >> > sudoRunAsUser: ALL > >> >> > sudoUser: doma > >> >> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > >> >> > # returned 1 records > >> >> > # 1 entries > >> >> > # 0 referrals > >> >> > This confirms that the entry is indeed there in the db. Why is it found > >> >> > with ldbsearch and why does sssd_sudo not find it? > >> >> > I am pretty much stuck with this one. Anyone has an idea? > >> >> > > >> >> > > >> >> Hi, > >> >> this is strange. Can you provide the logs with debug level set to 0x3ff0 > >> >> > >> >> please? Can you also send it as an attachment? Thanks! > >> >> > >> >> Sure. Here it is. Now I can see that the rule is returned. The > >> >> question is why the rule does not match. Anyway much better :) > >> > >> > > >> >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? > >> > > >> >Debug sudo /var/log/sudo_debug all at trace > >> > > >> >Run sudo and send us /var/log/sudo_debug? Thanks > >> > >> Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. > >> > >> I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): > >> > >> Sep 14 22:13:39 sudo[2314] username=doma > >> Sep 14 22:13:39 sudo[2314] domainname=NULL > >> Sep 14 22:13:39 sudo[2314] state |= USERMATCH > >> Sep 14 22:13:39 sudo[2314] Received 1 rule(s) > >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 > >> Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE > >> Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 > >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 > >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 > >> Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva > >> Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 > >> Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 > >> Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false > >> Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 > >> Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false > >> Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 > >> Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' > >> Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false > >> Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 > >> Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 > >> Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false > >> Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not > >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false > >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 > >> Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) > >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 > >> Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) > >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 > >> Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries > >> Sep 14 22:13:39 sudo[2314] Done with LDAP searches > >> > >> > >> And here is the code from match.c. > >> > >> bool > >> hostname_matches(const char *shost, const char *lhost, const char *pattern) > >> { > >> debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > >> const char *host; > >> bool rc; > >> > >> host = strchr(pattern, '.') != NULL ? lhost : shost; > >> if (has_meta(pattern)) { > >> rc = !fnmatch(pattern, host, FNM_CASEFOLD); > >> } else { > >> rc = !strcasecmp(host, pattern); > >> } > >> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > >> "host %s matches sudoers pattern %s: %s", > >> host, pattern, rc ? "true" : "false"); > >> debug_return_bool(rc); > >> } > >> > >> By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the > >> > >> log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > >> > >> from line 816 of sudoers.c. > >> > >> I also checked the hosts file and there I do have the > >> > >> 192.168.110.3 nappali nappali.szilva > >> > >> entry. > >> > >> Still stuck whit this. > > > >What is the output of 'hostname' ? > > > >I don't think sudo canonicalizes it.. > > > >-- > doma at nappali:/home/doma> hostname > nappali Can you try setting it to nappali? #hostnamectl set-hostname nappali.silva on modern systems. > doma at nappali:/home/doma> hostname --fqdn > nappali.szilva From kretebe at freemail.hu Tue Sep 15 08:53:59 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Tue, 15 Sep 2015 10:53:59 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <20150915080742.GF2884@hendrix> Message-ID: Jakub Hrozek ?rta: >On Tue, Sep 15, 2015 at 09:13:09AM +0200, Moln?r Domokos wrote: >> >> Jakub Hrozek ?rta: >> >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Moln?r Domokos wrote: >> >> On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >> >> >On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >> >> >> >> >>Full log attached. >> >> >>"Moln?r Domokos" ?rta: >> >> >> >> >> >> >> >> >> "Pavel B?ezina" ?rta: >> >> >> >> >> >> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >> >> >> > I have a working IPA server and a working client config on an OpenSuse >> >> >> > 13.2 with the following versions: >> >> >> > nappali:~ # rpm -qa |grep sssd >> >> >> > sssd-tools-1.12.2-3.4.1.i586 >> >> >> > sssd-krb5-1.12.2-3.4.1.i586 >> >> >> > python-sssd-config-1.12.2-3.4.1.i586 >> >> >> > sssd-ipa-1.12.2-3.4.1.i586 >> >> >> > sssd-1.12.2-3.4.1.i586 >> >> >> > sssd-dbus-1.12.2-3.4.1.i586 >> >> >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> >> >> > sssd-ldap-1.12.2-3.4.1.i586 >> >> >> > sssd is confihured for nss, pam, sudo >> >> >> > There is a test sudo rule defined in the ipa server, which applies to >> >> >> > user "doma". However when the user tries to use sudo the rule does not >> >> >> > work. >> >> >> > doma at nappali:/home/doma> sudo ls >> >> >> > doma's password: >> >> >> > doma is not allowed to run sudo on nappali. This incident will be reported. >> >> >> > The corresponding log in the sssd_sudo.log is this: >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >> >> > Received client version [1]. >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >> >> > Offered version [1]. >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >> >> > (0x0200): Requesting default options for [doma] from [] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >> >> > Requesting info about [doma at szilva] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >> >> > (0x0200): Requesting rules for [doma] from [] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >> >> > Requesting info about [doma at szilva] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> >> >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> >> >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> >> >> > disconnected! >> >> >> > This seems perfectly OK with one exception. The query against the sysdb >> >> >> > does not find the entry. This is strange because the entry is there. >> >> >> > Log in sssd.log: >> >> >> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >> >> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >> >> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >> >> >> > Running the exact same query seen above in the sssd_sudo.log against the >> >> >> > db returns: >> >> >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >> >> >> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >> >> >> > asq: Unable to register control with rootdse! >> >> >> > # record 1 >> >> >> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> >> >> > cn: Doma_ls >> >> >> > dataExpireTimestamp: 1441830262 >> >> >> > entryUSN: 20521 >> >> >> > name: Doma_ls >> >> >> > objectClass: sudoRule >> >> >> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >> >> >> > sudoCommand: ls >> >> >> > sudoHost: nappali.szilva >> >> >> > sudoRunAsGroup: ALL >> >> >> > sudoRunAsUser: ALL >> >> >> > sudoUser: doma >> >> >> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> >> >> > # returned 1 records >> >> >> > # 1 entries >> >> >> > # 0 referrals >> >> >> > This confirms that the entry is indeed there in the db. Why is it found >> >> >> > with ldbsearch and why does sssd_sudo not find it? >> >> >> > I am pretty much stuck with this one. Anyone has an idea? >> >> >> > >> >> >> > >> >> >> Hi, >> >> >> this is strange. Can you provide the logs with debug level set to 0x3ff0 >> >> >> >> >> >> please? Can you also send it as an attachment? Thanks! >> >> >> >> >> >> Sure. Here it is. Now I can see that the rule is returned. The >> >> >> question is why the rule does not match. Anyway much better :) >> >> >> >> > >> >> >Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? >> >> > >> >> >Debug sudo /var/log/sudo_debug all at trace >> >> > >> >> >Run sudo and send us /var/log/sudo_debug? Thanks >> >> >> >> Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. >> >> >> >> I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): >> >> >> >> Sep 14 22:13:39 sudo[2314] username=doma >> >> Sep 14 22:13:39 sudo[2314] domainname=NULL >> >> Sep 14 22:13:39 sudo[2314] state |= USERMATCH >> >> Sep 14 22:13:39 sudo[2314] Received 1 rule(s) >> >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 >> >> Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE >> >> Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 >> >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 >> >> Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 >> >> Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva >> >> Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 >> >> Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 >> >> Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := false >> >> Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 >> >> Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false >> >> Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 >> >> Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' >> >> Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false >> >> Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 >> >> Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 >> >> Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false >> >> Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not >> >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := false >> >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 := 0 >> >> Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) >> >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 := 0xb7c9e410 >> >> Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) >> >> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := 0xb7c9e410 >> >> Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries >> >> Sep 14 22:13:39 sudo[2314] Done with LDAP searches >> >> >> >> >> >> And here is the code from match.c. >> >> >> >> bool >> >> hostname_matches(const char *shost, const char *lhost, const char *pattern) >> >> { >> >> debug_decl(hostname_matches, SUDO_DEBUG_MATCH) >> >> const char *host; >> >> bool rc; >> >> >> >> host = strchr(pattern, '.') != NULL ? lhost : shost; >> >> if (has_meta(pattern)) { >> >> rc = !fnmatch(pattern, host, FNM_CASEFOLD); >> >> } else { >> >> rc = !strcasecmp(host, pattern); >> >> } >> >> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, >> >> "host %s matches sudoers pattern %s: %s", >> >> host, pattern, rc ? "true" : "false"); >> >> debug_return_bool(rc); >> >> } >> >> >> >> By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the >> >> >> >> log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); >> >> >> >> from line 816 of sudoers.c. >> >> >> >> I also checked the hosts file and there I do have the >> >> >> >> 192.168.110.3 nappali nappali.szilva >> >> >> >> entry. >> >> >> >> Still stuck whit this. >> > >> >What is the output of 'hostname' ? >> > >> >I don't think sudo canonicalizes it.. >> > >> >-- >> doma at nappali:/home/doma> hostname >> nappali > >Can you try setting it to nappali? > >#hostnamectl set-hostname nappali.silva >on modern systems. > >> doma at nappali:/home/doma> hostname --fqdn >> nappali.szilva doma at nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su doma sh-4.2$ sudo ls doma's password: 20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack 42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is matched.I'm not sure this is the intended way especially seeing the fqdn mechanism in the sudo code but I'll just keep it that way.Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Tue Sep 15 09:03:27 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 15 Sep 2015 11:03:27 +0200 Subject: [Freeipa-users] ipa-client-install --request-cert fails In-Reply-To: <20150914075940.GI15811@redhat.com> References: <20150914075940.GI15811@redhat.com> Message-ID: <20150915090327.GA3007@redhat.com> On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote: > On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > > wrote: > > > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > > --request-cert it does not create a host certificate for it. The host is > > > properly joined but not certificate is present. > > > > > > In the ipaclient-install.log file I see this: > > > > > > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed > > > > it's not working when joining a centos 6.7 realm either, same error. > > Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed > > https://bugzilla.redhat.com/show_bug.cgi?id=1262718 > > now. > > Thank you for bringing this to our attention. It turns out it's wrong labeling if the /etc/ipa/nssdb directory that the certificate should get stored in: https://bugzilla.redhat.com/show_bug.cgi?id=1262718#c7 Giving it cert_t should help this particular issue but we need to investigate if it has the potential to break something else. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From brian at interlinx.bc.ca Tue Sep 15 10:35:40 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Tue, 15 Sep 2015 06:35:40 -0400 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate In-Reply-To: <1442062679.4520.24.camel@interlinx.bc.ca> References: <1442062679.4520.24.camel@interlinx.bc.ca> Message-ID: <1442313340.4520.165.camel@interlinx.bc.ca> On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more virtual hosts to the > same Apache instance (yes, I know this is not advised but budgetary > constraints are at play here). > > How do I go about that? Do I want to resubmit the certificate > request > with some -D alt.name1 -D alt.name2, etc. parameters as such: > > # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 > > Is that the correct operation? If so, is there anything more I need > to > do after that? Nobody knows? I would have thought that this would be one of the easier routines in IPA certificate handling, no? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From abokovoy at redhat.com Tue Sep 15 10:58:07 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 15 Sep 2015 13:58:07 +0300 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: <20150915080742.GF2884@hendrix> Message-ID: <20150915105807.GH6168@redhat.com> On Tue, 15 Sep 2015, Moln?r Domokos wrote: >>#hostnamectl set-hostname nappali.silva >>on modern systems. >> >>> doma at nappali:/home/doma> hostname --fqdn >>> nappali.szilva > doma at nappali:/home/doma> su >Password: >nappali:/home/doma # hostnamectl set-hostname nappali.szilva >nappali:/home/doma # hostname >nappali.szilva >nappali:/home/doma # hostname --fqdn >nappali.szilvanappali:/home/doma # su doma >sh-4.2$ sudo ls >doma's password: >20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack >42646515_eb8d7dcabe416247463f1bc8652adced.pdf > Now it works, the rule is matched.I'm not sure this is the > intended way especially seeing the fqdn mechanism in the sudo code > but I'll just keep it that way.Thank you. sudo doesn't do normalization and IPA's way of exposing host names is by using by default fqdn. So sudo compares local hostname with fqdn-based one, guess which way it will succeed? You theoretically could have every hostname in IPA registered non-fqdn but what you cannot have is a mix between fqdn- and non-fqdn names. -- / Alexander Bokovoy From mkosek at redhat.com Tue Sep 15 11:01:02 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Sep 2015 13:01:02 +0200 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate In-Reply-To: <1442313340.4520.165.camel@interlinx.bc.ca> References: <1442062679.4520.24.camel@interlinx.bc.ca> <1442313340.4520.165.camel@interlinx.bc.ca> Message-ID: <55F7FA6E.4030208@redhat.com> On 09/15/2015 12:35 PM, Brian J. Murrell wrote: > On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: >> Due to the bug in mod_nss that prevents SNI from functioning (i.e. >> limits a port to a single certificate) I need to add SANs >> (SubjectAltName) to the certificate that freeipa created for the >> webserver (Server-Cert) so that I can add more virtual hosts to the >> same Apache instance (yes, I know this is not advised but budgetary >> constraints are at play here). >> >> How do I go about that? Do I want to resubmit the certificate >> request >> with some -D alt.name1 -D alt.name2, etc. parameters as such: >> >> # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 >> >> Is that the correct operation? If so, is there anything more I need >> to >> do after that? > > Nobody knows? I would have thought that this would be one of the > easier routines in IPA certificate handling, no? BTW, there was related thread on freeipa-users in the past, with some links to related information: https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html I assume the only change since then is that FreeIPA now supports proper SAN extension. From brian at interlinx.bc.ca Tue Sep 15 11:22:19 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Tue, 15 Sep 2015 07:22:19 -0400 Subject: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate In-Reply-To: <55F7FA6E.4030208@redhat.com> References: <1442062679.4520.24.camel@interlinx.bc.ca> <1442313340.4520.165.camel@interlinx.bc.ca> <55F7FA6E.4030208@redhat.com> Message-ID: <1442316139.4520.173.camel@interlinx.bc.ca> On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote: > BTW, there was related thread on freeipa-users in the past, with some > links to > related information: > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html So this writeup seems to ignore the fact that Apache and the certificate store have already been established with mod_nss by the time you are finished a FreeIPA installation and does nothing about that in consideration of the fact that mod_nss and mod_ssl are mutually exclusive (AFAIU) for a single port. But yeah. I did consider ditching mod_nss and replacing it with mod_ssl but that seems like quite an extensive disruption to the default FreeIPA Apache configuration. In my experience, the further you get out of the box with integration projects like FreeIPA, the more fragile things are for future upgrading. > I assume the only change since then is that FreeIPA now supports > proper SAN > extension. Indeed, which seems to provide for a cleaner hack. It leaves the Apache configuration for FreeIPA intact and makes the future reversion, when mod_nss properly supports SNI easier. Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From jhrozek at redhat.com Tue Sep 15 11:37:48 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Sep 2015 13:37:48 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <20150915105807.GH6168@redhat.com> References: <20150915080742.GF2884@hendrix> <20150915105807.GH6168@redhat.com> Message-ID: <20150915113748.GL2884@hendrix> On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote: > On Tue, 15 Sep 2015, Moln?r Domokos wrote: > >>#hostnamectl set-hostname nappali.silva > >>on modern systems. > >> > >>>doma at nappali:/home/doma> hostname --fqdn > >>>nappali.szilva > >doma at nappali:/home/doma> su > >Password: > >nappali:/home/doma # hostnamectl set-hostname nappali.szilva > >nappali:/home/doma # hostname > >nappali.szilva > >nappali:/home/doma # hostname --fqdn > >nappali.szilvanappali:/home/doma # su doma > >sh-4.2$ sudo ls > >doma's password: > >20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack > >42646515_eb8d7dcabe416247463f1bc8652adced.pdf > > Now it works, the rule is matched.I'm not sure this is the > > intended way especially seeing the fqdn mechanism in the sudo code > > but I'll just keep it that way.Thank you. > sudo doesn't do normalization and IPA's way of exposing host names is > by using by default fqdn. So sudo compares local hostname with > fqdn-based one, guess which way it will succeed? > > You theoretically could have every hostname in IPA registered non-fqdn > but what you cannot have is a mix between fqdn- and non-fqdn names. You can have registered a different hostname with IPA than what hostname(1) reports, we have an ipa_hostname parameter for that. But there's no way for sudo to learn about it.. > -- > / Alexander Bokovoy From Andy.Thompson at e-tcc.com Tue Sep 15 12:24:45 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Tue, 15 Sep 2015 12:24:45 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: References: Message-ID: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having Default_domain_suffix = ad.domain In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to force my users to change to using their fqn to login, and due to having db2 in the environment our usernames are limited to 8 characters so we cannot use the fqn regardless. I tested adding a local sudo rule for %ad_domain_group at ipa.domain and it worked, but any IPA rules are not working. A rule in the sudoers would not work unless it was a fqn either which I expected with the default domain suffix set. Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test downgrading my sssd, which I'm not entirely opposed to in order to get things working, but there are some fixes in this release I kinda want to keep. -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From jhrozek at redhat.com Tue Sep 15 12:36:38 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Sep 2015 14:36:38 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> Message-ID: <20150915123638.GN2884@hendrix> Sorry for not replying sooner, many of us were mostly offline last week. I'll try to reproduce locally.. On Tue, Sep 15, 2015 at 12:24:45PM +0000, Andy Thompson wrote: > I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having > > Default_domain_suffix = ad.domain > > In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to force my users to change to using their fqn to login, and due to having db2 in the environment our usernames are limited to 8 characters so we cannot use the fqn regardless. > > I tested adding a local sudo rule for %ad_domain_group at ipa.domain and it worked, but any IPA rules are not working. A rule in the sudoers would not work unless it was a fqn either which I expected with the default domain suffix set. > > Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test downgrading my sssd, which I'm not entirely opposed to in order to get things working, but there are some fixes in this release I kinda want to keep. > > -andy > > > > *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From kretebe at freemail.hu Tue Sep 15 13:59:52 2015 From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=) Date: Tue, 15 Sep 2015 15:59:52 +0200 (CEST) Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: <20150915113748.GL2884@hendrix> Message-ID: On 09/15/2015 01:37 PM, Jakub Hrozek wrote: >On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote: >>On Tue, 15 Sep 2015, Moln?r Domokos wrote: >>>>#hostnamectl set-hostname nappali.silva on modern systems. >>>>>doma at nappali:/home/doma> hostname --fqdn nappali.szilva >>>doma at nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su doma sh-4.2$ sudo ls doma's password: 20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack 42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is matched.I'm not sure this is the intended way especially seeing the fqdn mechanism in the sudo code but I'll just keep it that way.Thank you. >>sudo doesn't do normalization and IPA's way of exposing host names is by using by default fqdn. So sudo compares local hostname with fqdn-based one, guess which way it will succeed? You theoretically could have every hostname in IPA registered non-fqdn but what you cannot have is a mix between fqdn- and non-fqdn names. >You can have registered a different hostname with IPA than what hostname(1) reports, we have an ipa_hostname parameter for that. But there's no way for sudo to learn about it.. You may well be right but I still think this is a bug in sudo/sssd plugin. Here's why I think so: @line 582 in sssd.c when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname. @lines 773-790 the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname. @line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK. The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself. I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ellertalexandre at gmail.com Tue Sep 15 12:09:45 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Tue, 15 Sep 2015 14:09:45 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> <20150728035937.GG21928@redhat.com> <20150828150920.GV22106@redhat.com> <9859EB0E-319F-450E-8ABC-D682C8DC8836@gmail.com> <20150828154119.GY22106@redhat.com> <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> <55E9AC8C.2080907@redhat.com> Message-ID: So, here is the recap : I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two. Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI... Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ? Please advice. 2015-09-07 13:36 GMT+02:00 Alexandre Ellert : > > > Le 4 sept. 2015 ? 16:37, Martin Babinsky a ?crit : > > > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: > >> > >>> Le 28 ao?t 2015 ? 17:41, Alexander Bokovoy a > ?crit : > >>> > >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: > >>>> > >>>>> Le 28 ao?t 2015 ? 17:09, Alexander Bokovoy a > ?crit : > >>>>> > >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: > >>>>>> > >>>>>>> Le 28 juil. 2015 ? 05:59, Alexander Bokovoy > a ?crit : > >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy > another > >>>>>>>> replica ? > >>>>>>> You may try that. Sorry for not responding, I have some other > tasks that > >>>>>>> occupy my time right now. > >>>>>>> > >>>>>> > >>>>>> > >>>>>> Can you please tell me the procedure to decommission and re-create > a new replica ? > >>>>>> Are "ipa-server-install ?uninstall" then "ipa-server-install" the > only things to do ? > >>>>> No, you need also to remove the server from the replication topology. > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html > >>>>> > >>>>> -- > >>>>> / Alexander Bokovoy > >>>> > >>>> I can?t remove the node on which I have problem with pki-tomcatd : > >>>> > >>>> # ipa-replica-manage del xxxx.example.com > >>>> Deleting a master is irreversible. > >>>> To reconnect to the remote master you will need to prepare a new > replica file > >>>> and re-install. > >>>> Continue to delete? [no]: yes > >>>> Deleting this server is not allowed as it would leave your > installation without a CA > >>>> > >>>> I seem that it?s the only node where CA is installed. What should I > do now ? > >>> Add a replica with CA using ipa-ca-install on existing replica. > >>> > >>> Read the guide, it has detailed coverage of these situations. > >>> -- > >>> / Alexander Bokovoy > >> > >> On the first node (which is working and without pki-tomcatd service) > >> # ipa-ca-install > >> Directory Manager (existing master) password: > >> > >> CA is already installed. > >> > >> How is it possible ? > >> > >> > > You must provide a replica file as an argument to ipa-ca-install if you > want to setup CA on another replica. > > > > -- > > Martin^3 Babinsky > > I?m still stuck with the correct command line : > [root at inf-ipa ~]# ipa-ca-install > /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > admin at NUMEEZY.FR password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'inf-ipa.numeezy.fr': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): WARNING > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): WARNING > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Connection from master to replica is OK. > > Connection check OK > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/21]: creating certificate server user > [2/21]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero > exit status 1 > [error] RuntimeError: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of CA failed > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From canepa.n at mmfg.it Tue Sep 15 15:14:00 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Tue, 15 Sep 2015 17:14:00 +0200 Subject: [Freeipa-users] Partial replica Message-ID: <55F835B8.9030206@mmfg.it> Hello list. I'm trying to make a test deploy of FreeIPA, and I was wondering if it is possible to authenticate remote sites via LDAP by havong a partial replica based on saome filter (maybe a group, an attribute or similar). Sorry if this is a silly question, but I am trying to explore the possibilities that I could have to slowly replace local authentications spread in various sites by having a central store (backed by FreeIPA) and many partial replicas which would contain what now I have in RADIUS or other authentication sources. Thank you for any advice or pointer you can give to me. Nicola -- Nicola Canepa canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From Steven.Jones at vuw.ac.nz Tue Sep 15 21:00:56 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 Sep 2015 21:00:56 +0000 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> <20150728035937.GG21928@redhat.com> <20150828150920.GV22106@redhat.com> <9859EB0E-319F-450E-8ABC-D682C8DC8836@gmail.com> <20150828154119.GY22106@redhat.com> <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> <55E9AC8C.2080907@redhat.com> , Message-ID: Hi, I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and pki-tomcat doesnt run. btw what does --data do? I tried that before a full restore and no passwords worked ie i could not login and no users worked at all, so it seems pointless? or maybe rather what is it for? and when to use it? regards Steven ________________________________ From: freeipa-users-bounces at redhat.com on behalf of Alexandre Ellert Sent: Wednesday, 16 September 2015 12:09 a.m. To: Martin Babinsky Cc: freeipa-users at redhat.com; Alexander Bokovoy Subject: Re: [Freeipa-users] Failed to start pki-tomcatd Service So, here is the recap : I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two. Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI... Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ? Please advice. 2015-09-07 13:36 GMT+02:00 Alexandre Ellert >: > Le 4 sept. 2015 ? 16:37, Martin Babinsky > a ?crit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 ao?t 2015 ? 17:41, Alexander Bokovoy > a ?crit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 ao?t 2015 ? 17:09, Alexander Bokovoy > a ?crit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 ? 05:59, Alexander Bokovoy > a ?crit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new replica ? >>>>>> Are "ipa-server-install ?uninstall" then "ipa-server-install" the only things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can?t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del xxxx.example.com >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation without a CA >>>> >>>> I seem that it?s the only node where CA is installed. What should I do now ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica. > > -- > Martin^3 Babinsky I?m still stuck with the correct command line : [root at inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at NUMEEZY.FR password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'inf-ipa.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed -------------- next part -------------- An HTML attachment was scrubbed... URL: From APtashnik at cccis.com Wed Sep 16 02:59:50 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Wed, 16 Sep 2015 02:59:50 +0000 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 Message-ID: Dear IPA Team, We have a situation in our datacenter where we deployed Red Hat 7.1 with IPA server 4.1 and on the other hand we still have older machines with Red Hat 5 and 6. I noticed that repositories associated with version 6 have older version of the client software ? v.3.0. Therefore some functionality is missing from client package 3 vs 4, like automatic update of both forward and reverse DNS records. Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without much breaking dependencies in OS? Regards, Andrey Ptashnik | Network Architect CCC Information Services Inc. 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptashnik at cccis.com [cid:C84C4611-B864-406E-AC69-259AB623D497] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 141CF6B0-B875-4482-B9A1-061FE52B0A08[12].png Type: image/png Size: 14810 bytes Desc: 141CF6B0-B875-4482-B9A1-061FE52B0A08[12].png URL: From abokovoy at redhat.com Wed Sep 16 13:43:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Sep 2015 16:43:32 +0300 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: References: Message-ID: <20150916134332.GQ6168@redhat.com> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >Dear IPA Team, > >We have a situation in our datacenter where we deployed Red Hat 7.1 >with IPA server 4.1 and on the other hand we still have older machines >with Red Hat 5 and 6. I noticed that repositories associated with >version 6 have older version of the client software ? v.3.0. Therefore >some functionality is missing from client package 3 vs 4, like >automatic update of both forward and reverse DNS records. > >Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >much breaking dependencies in OS? You don't need to install IPA python packages on older machines. These packages are mostly for administration purposes. Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 version of SSSD is on par with RHEL 7 version in the recent updates. Additionally, MIT Kerberos backports were done in the recent updates to allow OTP functionality in RHEL6 as well. So most of features are there already, client-wise. RHEL5 version does not have such updates and you can implement most of the support with existing SSSD and output of 'ipa-advise' tool on IPA masters. nsupdate integration would probably need to be done differently. Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not much sense. -- / Alexander Bokovoy From APtashnik at cccis.com Wed Sep 16 16:30:50 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Wed, 16 Sep 2015 16:30:50 +0000 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: <20150916134332.GQ6168@redhat.com> References: <20150916134332.GQ6168@redhat.com> Message-ID: <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> Alexander, Thank you for your feedback! In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. [root at ptr-test-6 ~]# yum list installed | grep ipa ipa-client.x86_64 3.0.0-47.el6 ipa-python.x86_64 3.0.0-47.el6 [root at ptr-test-6 ~]# yum list installed | grep sssd python-sssdconfig.noarch 1.12.4-47.el6 sssd.x86_64 1.12.4-47.el6 sssd-ad.x86_64 1.12.4-47.el6 sssd-client.x86_64 1.12.4-47.el6 sssd-common.x86_64 1.12.4-47.el6 sssd-common-pac.x86_64 1.12.4-47.el6 sssd-ipa.x86_64 1.12.4-47.el6 sssd-krb5.x86_64 1.12.4-47.el6 sssd-krb5-common.x86_64 1.12.4-47.el6 sssd-ldap.x86_64 1.12.4-47.el6 sssd-proxy.x86_64 1.12.4-47.el6 [root at ptr-test-6 ~]# And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: # ipa-client-install --enable-dns-updates --ssh-trust-dns ?mkhomedir DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: Synchronizing time with KDC... Enrolled in IPA realm XXXXXXXXX.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' SSSD enabled Configuring XXXXXXXXX.COM as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Regards, Andrey Ptashnik On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: >On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>Dear IPA Team, >> >>We have a situation in our datacenter where we deployed Red Hat 7.1 >>with IPA server 4.1 and on the other hand we still have older machines >>with Red Hat 5 and 6. I noticed that repositories associated with >>version 6 have older version of the client software ? v.3.0. Therefore >>some functionality is missing from client package 3 vs 4, like >>automatic update of both forward and reverse DNS records. >> >>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>much breaking dependencies in OS? >You don't need to install IPA python packages on older machines. These >packages are mostly for administration purposes. > >Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >version of SSSD is on par with RHEL 7 version in the recent updates. >Additionally, MIT Kerberos backports were done in the recent updates to >allow OTP functionality in RHEL6 as well. So most of features are there >already, client-wise. > >RHEL5 version does not have such updates and you can implement most of >the support with existing SSSD and output of 'ipa-advise' tool on IPA >masters. nsupdate integration would probably need to be done >differently. > >Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >much sense. > >-- >/ Alexander Bokovoy From CWhite at skytouchtechnology.com Wed Sep 16 16:54:26 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Wed, 16 Sep 2015 16:54:26 +0000 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers Message-ID: Virtually completed the steps listed here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off. ipa-replica-manage del ipa1.stt.local --force Connection to 'ipa1.stt.local' failed: Forcing removal of ipa1.stt.local Skipping calculation to determine if one or more masters would be orphaned. No RUV records found. $ ipa-replica-manage del ipa1.stt.local --force -c Connection to 'ipa1.stt.local' failed: Forcing removal of ipa1.stt.local Skipping calculation to determine if one or more masters would be orphaned. No RUV records found. $ ipa-replica-manage list ipa1.stt.local: master ipa3.stt.local: master ipa4.stt.local: master Obviously connection to ipa1 failed because in previous step, I had to shut it down on ipa1 (ipactl stop) What's the trick to get rid of an old, discontinued 'master' ? Craig White -------------- next part -------------- An HTML attachment was scrubbed... URL: From jduino at oblong.com Wed Sep 16 18:21:57 2015 From: jduino at oblong.com (John Duino) Date: Wed, 16 Sep 2015 13:21:57 -0500 (CDT) Subject: [Freeipa-users] How to add multivalued attribute to UI Message-ID: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> Greetings! I am wanting to add a multivalued attribute (mailAlternateAddress, from objectClass:MailRecipient) to the User UI. We are running IPA 4.1.0-18.el7.centos.4.x86_64, on CentOS7. Adding it to the CLI was fairly straightforward. I have a plugin at /usr/share/ipa/ui/js/plugins/altemail/altemail.js that I basically copied/hacked from some other docs/example I found. Two problems: 1) It will only show the first entry of mailAlternateAddress it finds (which I assume is a limitation of the get_item() function.) 2) While it inserts a text box in the UI in the Contacts section, it does not have the same ADD and DELETE buttons that, say, the 'mail' attribute has. Any help would be appreciated! Here is the plugin: define([ 'freeipa/phases', 'freeipa/user'], function(phases, user_mod) { //helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i Hi, I have an IPA server running on redhat and I'm trying find the best way to get my amazon linux instances to use it for authentication, ssh key management and sudo rules. I'm now trying to use SSSD to achieve those goals. Authentication is working but I'm having problems to get the user public ssh keys using /usr/bin/sss_ssh_authorizedkeys. This is my sssd.conf: [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = default re_expression = (?P.+) [domain/default] debug_level = 8 cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://ipa.my.domain.com ldap_search_base = cn=compat,dc=my,dc=domain,dc=com ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt ldap_user_ssh_public_key = ipaSshPubKey The original configuration was done using ipa-advise ipa-advise config-redhat-sssd-before-1-9. I just hanged the services parameter to include "ssh, sudo" and "ldap_user_ssh_public_key" When I run it on the client I get no response or error. Even running it in debug mode: /usr/bin/sss_ssh_authorizedkeys admin --debug 10 ipaSshPubKey is already public in the IPA permissions. The ssd_default.log on the client shows this when I run it (debug_level = 8): (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_req_set_domain] (0x0400): Changing request domain from [default] to [default] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=compat,dc=my,dc=domain,dc=com] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_print_server] (0x2000): Searching 10.0.0.2 (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=compat,dc=my,dc=domain,dc=com]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3 (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1edd270], connected[1], ops[0x1e9f5a0], ldap[0x1edcfd0] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1edd270], connected[1], ops[0x1e9f5a0], ldap[0x1edcfd0] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Save user (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sss_parse_name] (0x0100): Domain not provided! (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object admin (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user admin (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com] to attributes of [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150829000451Z] to attributes of [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [admin]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user admin (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPrincipalName] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1edd270], connected[1], ops[(nil)], ldap[0x1edcfd0] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! it also shows constant messages like this every few seconds: (Wed Sep 16 18:13:46 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit I'm not sure which step I am missing. I'm using 1.12.2 provided my amazon. The server is FreeIPA, version: 4.1.0 Thanks in advance, Gustavo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 16 18:40:21 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Sep 2015 14:40:21 -0400 Subject: [Freeipa-users] How to add multivalued attribute to UI In-Reply-To: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> References: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> Message-ID: <55F9B795.3010709@redhat.com> John Duino wrote: > Greetings! > > I am wanting to add a multivalued attribute (mailAlternateAddress, from objectClass:MailRecipient) to the User UI. We are running IPA 4.1.0-18.el7.centos.4.x86_64, on CentOS7. Adding it to the CLI was fairly straightforward. > I have a plugin at /usr/share/ipa/ui/js/plugins/altemail/altemail.js that I basically copied/hacked from some other docs/example I found. Two problems: > 1) It will only show the first entry of mailAlternateAddress it finds (which I assume is a limitation of the get_item() function.) > 2) While it inserts a text box in the UI in the Contacts section, it does not have the same ADD and DELETE buttons that, say, the 'mail' attribute has. > > Any help would be appreciated! Here is the plugin: > define([ > 'freeipa/phases', > 'freeipa/user'], > function(phases, user_mod) { > > //helper function > function get_item(array, attr, value) { > > for (var i=0,l=array.length; i if (array[i][attr] === value) return array[i]; > } > return null; > } > > var altemail_plugin = {}; > > // adds 'mailalternateaddress' field into user details facet > altemail_plugin.add_altemail_pre_op = function() { > > var facet = get_item(user_mod.entity_spec.facets, '$type', 'details'); > var section = get_item(facet.sections, 'name', 'contact'); > section.fields.push({ > type: 'multivalued', > name: 'mailalternateaddress', > label: 'E-mail Alias' > }); > return true; > }; > > phases.on('customization', altemail_plugin.add_altemail_pre_op); > > return altemail_plugin; > }); > Do you have this configured in the user plugin? Perhaps some other piece of the UI is confused because of either a missing or misconfigured value for the attribute in the metadata. If you do, how is the param configured? rob From jduino at oblong.com Wed Sep 16 19:08:05 2015 From: jduino at oblong.com (John Duino) Date: Wed, 16 Sep 2015 14:08:05 -0500 (CDT) Subject: [Freeipa-users] How to add multivalued attribute to UI In-Reply-To: References: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> <55F9B795.3010709@redhat.com> Message-ID: <264406920.403684.1442430485961.JavaMail.zimbra@oblong.com> You shot right past me there, Rob. Forgive my ignorance but I'm not sure what you are referring to when saying "this configured", or what you are calling metadata. What I included was the user plugin. The UI loads it without error. But it only supplies a single field (which is correct) that includes the label ("E-mail Alias") and the textbox with ONE of the mailAlternateAddress attributes for that user account. An ldapsearch returns: dn: uid=test4,cn=users,cn=accounts,dc=domain,dc=com mailAlternateAddress: xxx at domain.com mailAlternateAddress: yyy at domain.com For the CLI, useing "ipa user-mod --addattr=mailalternateaddress=blahblah " (or --setattr or --delattr) work as expected, adding an additional entry of mailAlternateAddress for (or removing, etc). mailAlternateAddress is defined via the mailRecipient objectclass, which is included in FreeIPA v4. My expected (eventually...not necessarily with how I've written the javascript) is that if there are no defined mailAlternateAddress attributes for a user that the Label will show with an 'Add' button alongside it (as E-mail address, Telephone Number, and Fax Number currently do). If one (or more) exists, then the field(s) show up with the appropriate value and a 'Delete' button at the end along with the 'Add' button for adding more fields. Thanks! ----- Original Message ----- From: "Rob Crittenden" Do you have this configured in the user plugin? Perhaps some other piece of the UI is confused because of either a missing or misconfigured value for the attribute in the metadata. If you do, how is the param configured? rob From rcritten at redhat.com Wed Sep 16 19:48:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Sep 2015 15:48:01 -0400 Subject: [Freeipa-users] How to add multivalued attribute to UI In-Reply-To: <264406920.403684.1442430485961.JavaMail.zimbra@oblong.com> References: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> <55F9B795.3010709@redhat.com> <264406920.403684.1442430485961.JavaMail.zimbra@oblong.com> Message-ID: <55F9C771.90504@redhat.com> John Duino wrote: > You shot right past me there, Rob. Forgive my ignorance but I'm not sure what you are referring to when saying "this configured", or what you are calling metadata. > > What I included was the user plugin. The UI loads it without error. But it only supplies a single field (which is correct) that includes the label ("E-mail Alias") and the textbox with ONE of the mailAlternateAddress attributes for that user account. > > An ldapsearch returns: > > dn: uid=test4,cn=users,cn=accounts,dc=domain,dc=com > mailAlternateAddress: xxx at domain.com > mailAlternateAddress: yyy at domain.com > > For the CLI, useing "ipa user-mod --addattr=mailalternateaddress=blahblah " (or --setattr or --delattr) work as expected, adding an additional entry of mailAlternateAddress for (or removing, etc). > > mailAlternateAddress is defined via the mailRecipient objectclass, which is included in FreeIPA v4. > > > My expected (eventually...not necessarily with how I've written the javascript) is that if there are no defined mailAlternateAddress attributes for a user that the Label will show with an 'Add' button alongside it (as E-mail address, Telephone Number, and Fax Number currently do). If one (or more) exists, then the field(s) show up with the appropriate value and a 'Delete' button at the end along with the 'Add' button for adding more fields. I don't know a lot about the UI javascript but there are two pieces to code: the plugin to define the attribute and the UI to consume it. It sounds like you've done both. What I'm interested in is how you configured the plugin. Can you share the code? The UI downloads all the available commands and options as metadata and uses that to help drive some of the interactions. rob > > Thanks! > ----- Original Message ----- > From: "Rob Crittenden" > > Do you have this configured in the user plugin? Perhaps some other piece > of the UI is confused because of either a missing or misconfigured value > for the attribute in the metadata. > > If you do, how is the param configured? > > rob > From jduino at oblong.com Wed Sep 16 20:16:13 2015 From: jduino at oblong.com (John Duino) Date: Wed, 16 Sep 2015 15:16:13 -0500 (CDT) Subject: [Freeipa-users] How to add multivalued attribute to UI In-Reply-To: References: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> <55F9B795.3010709@redhat.com> <264406920.403684.1442430485961.JavaMail.zimbra@oblong.com> <55F9C771.90504@redhat.com> Message-ID: <465914968.419195.1442434573732.JavaMail.zimbra@oblong.com> Oh, okay. I didn't realize the ipalib plugin affected the UI. Sure, I can share it. So in /usr/lib/python2.7/site-packages/ipalib/plugins/altemail.py is the following. I have also (at one point) had a validation function and a precallback (both currently not used when trying to simplify/test). Validation just checked for a validly formatted email address (I left the 'from' statement below which imports that library). The precallback was to ensure that the objectClass 'mailrecipient' was added to the user before trying to add the mailAlternateAddress attribute (It was causing some other error when it was already there..need to sort that out later, as well). Anyway, the ipalib plugin: from ipalib.plugins import user from ipalib.parameters import Str from ipalib import _ from validate_email_address import validate_email user.user.takes_params = user.user.takes_params + ( Str('mailalternateaddress*', cli_name='altemail', label=_('E-mail Alias'), doc=_('E-Mail Alias'), minlength=7, multivalue=True, ), ) ----- Original Message ----- From: "Rob Crittenden" I don't know a lot about the UI javascript but there are two pieces to code: the plugin to define the attribute and the UI to consume it. It sounds like you've done both. What I'm interested in is how you configured the plugin. Can you share the code? The UI downloads all the available commands and options as metadata and uses that to help drive some of the interactions. rob > > Thanks! > ----- Original Message ----- > From: "Rob Crittenden" > > Do you have this configured in the user plugin? Perhaps some other piece > of the UI is confused because of either a missing or misconfigured value > for the attribute in the metadata. > > If you do, how is the param configured? > > rob > From jduino at oblong.com Wed Sep 16 22:21:47 2015 From: jduino at oblong.com (John Duino) Date: Wed, 16 Sep 2015 17:21:47 -0500 (CDT) Subject: [Freeipa-users] How to add multivalued attribute to UI In-Reply-To: <465914968.419195.1442434573732.JavaMail.zimbra@oblong.com> References: <1801988592.398732.1442427717032.JavaMail.zimbra@oblong.com> <55F9B795.3010709@redhat.com> <264406920.403684.1442430485961.JavaMail.zimbra@oblong.com> <55F9C771.90504@redhat.com> <465914968.419195.1442434573732.JavaMail.zimbra@oblong.com> Message-ID: <1389405440.437675.1442442107108.JavaMail.zimbra@oblong.com> I found my mistake (I'd call it a typo but that would assume I knew what I was doing in the first place!) In altemail.js, when defining the fields to be pushed, I used "type:" instead of "$type:". Once I fixed that (and restarted IPA, and cleared browser cache), it works as expected. For completeness, here is the full working plugin: define([ 'freeipa/phases', 'freeipa/user'], function(phases, user_mod) { //helper function function get_item(array, attr, value) { for (var i=0,l=array.length; i To: "freeipa-users" Sent: Wednesday, September 16, 2015 1:16:13 PM Subject: Re: [Freeipa-users] How to add multivalued attribute to UI Oh, okay. I didn't realize the ipalib plugin affected the UI. Sure, I can share it. So in /usr/lib/python2.7/site-packages/ipalib/plugins/altemail.py is the following. I have also (at one point) had a validation function and a precallback (both currently not used when trying to simplify/test). Validation just checked for a validly formatted email address (I left the 'from' statement below which imports that library). The precallback was to ensure that the objectClass 'mailrecipient' was added to the user before trying to add the mailAlternateAddress attribute (It was causing some other error when it was already there..need to sort that out later, as well). Anyway, the ipalib plugin: from ipalib.plugins import user from ipalib.parameters import Str from ipalib import _ from validate_email_address import validate_email user.user.takes_params = user.user.takes_params + ( Str('mailalternateaddress*', cli_name='altemail', label=_('E-mail Alias'), doc=_('E-Mail Alias'), minlength=7, multivalue=True, ), ) ----- Original Message ----- From: "Rob Crittenden" I don't know a lot about the UI javascript but there are two pieces to code: the plugin to define the attribute and the UI to consume it. It sounds like you've done both. What I'm interested in is how you configured the plugin. Can you share the code? The UI downloads all the available commands and options as metadata and uses that to help drive some of the interactions. rob > > Thanks! > ----- Original Message ----- > From: "Rob Crittenden" > > Do you have this configured in the user plugin? Perhaps some other piece > of the UI is confused because of either a missing or misconfigured value > for the attribute in the metadata. > > If you do, how is the param configured? > > rob > From jhrozek at redhat.com Thu Sep 17 07:25:15 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Sep 2015 09:25:15 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: Message-ID: <20150917072515.GP14560@hendrix.arn.redhat.com> On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > Hi, > > I have an IPA server running on redhat and I'm trying find the best way to > get my amazon linux instances to use it for authentication, ssh key > management and sudo rules. > > I'm now trying to use SSSD to achieve those goals. Authentication is > working but I'm having problems to get the user public ssh keys using > /usr/bin/sss_ssh_authorizedkeys. > > > This is my sssd.conf: > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > domains = default > re_expression = (?P.+) > > [domain/default] > debug_level = 8 > cache_credentials = True > id_provider = ldap > auth_provider = ldap > ldap_uri = ldap://ipa.my.domain.com > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > ldap_user_ssh_public_key = ipaSshPubKey > > > The original configuration was done using ipa-advise ipa-advise > config-redhat-sssd-before-1-9. Is there any particular reason do keep doing this versus joining the client to the domain and using id_provider=ipa ? > I just hanged the services parameter to > include "ssh, sudo" and "ldap_user_ssh_public_key" I don't think sudo would work unless you authenticate the LDAP connection. > > When I run it on the client I get no response or error. Even running it in > debug mode: > > /usr/bin/sss_ssh_authorizedkeys admin --debug 10 I would check if: - debug_level in the [ssh] section reveals anything. Is the ssh responder being contacted, are there any errors? - check with ldbsearch (ldb-tools package) if there ssh key attribute is really fetched from IPA LDAP and is stored along the user entry From mkosek at redhat.com Thu Sep 17 11:15:39 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Sep 2015 13:15:39 +0200 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers In-Reply-To: References: Message-ID: <55FAA0DB.80201@redhat.com> On 09/16/2015 06:54 PM, Craig White wrote: > Virtually completed the steps listed here... > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off. > > ipa-replica-manage del ipa1.stt.local --force > Connection to 'ipa1.stt.local' failed: > Forcing removal of ipa1.stt.local > Skipping calculation to determine if one or more masters would be orphaned. > No RUV records found. > > $ ipa-replica-manage del ipa1.stt.local --force -c > Connection to 'ipa1.stt.local' failed: > Forcing removal of ipa1.stt.local > Skipping calculation to determine if one or more masters would be orphaned. > No RUV records found. > > $ ipa-replica-manage list > ipa1.stt.local: master > ipa3.stt.local: master > ipa4.stt.local: master > > Obviously connection to ipa1 failed because in previous step, I had to shut it down on ipa1 (ipactl stop) > > What's the trick to get rid of an old, discontinued 'master' ? > > Craig White Quickly looking at ipa-replica-manage code, the del command will end if there is no RUV. So it seems that in some of your previous RUV was deleted, but server record was not. What does # ipa-replica-manage list-ruv show? Petr or Honza, is the only option here to 1) Use ldapdelete to delete the master record in cn=masters as a hotfix for this issue 2) File a ticket to avoid get_ruv function exit the whole "del" command when --force is in play to fix this long-term > From traiano at gmail.com Thu Sep 17 11:21:35 2015 From: traiano at gmail.com (Traiano Welcome) Date: Thu, 17 Sep 2015 14:21:35 +0300 Subject: [Freeipa-users] Cleanly Removing a Stubborn IPA Replica Server Message-ID: Hi All I'm trying to delete replication agreements between a 'master' ipa server and a replica, but it seems the directory server has gotten into a state where the replication agreements can't be removed (or some other stale meta-data is still hanging around). (CentOS Linux release 7.1.1503, IPA VERSION: 4.1.0, API_VERSION: 2.112) When I try to delete replication agreements between master and replica, I get: --- [root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' --- However, attempts to re-add the replica with ipa-replica-install ... fails with "The host lolsitepr-idm-slve.ipa.local already exists on the master server" Here is the process I'm following to try and delete the replication agreements: Try to disconnect the ipa master and replica: --- [root at lolpr-idm-mstr ~]# [root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' [root at lolpr-idm-mstr ~]# --- After re-generating the new .gpg for the replica, copying it to the ipa replica server, try to re-create the ipa replica: --- [root at lolsitepr-idm-slve ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-lolsitepr-idm-slve.ipa.local.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'lolpr-idm-mstr.ipa.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at IDM.LOCAL password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'lolsitepr-idm-slve.ipa.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Using reverse zone(s) xxx.yy.zzz.in-addr.arpa. The host lolsitepr-idm-slve.ipa.local already exists on the master server. You should remove it before proceeding: % ipa host-del lolsitepr-idm-slve.ipa.local --- Trying to run "ipa host-del lolsitepr-idm-slve.ipa.local" on the 'master' replica server: --- [root at lolpr-idm-mstr ~]# ipa host-del lolsitepr-idm-slve.ipa.local ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root at lolpr-idm-mstr ~]# --- This makes no sense to me, are the differences in versions of IPA between the two hosts? NO: --- Replica: [root at lolsitepr-idm-slve ~]# rpm -qa |grep ipa ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 ipa-admintools-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 iniparser-3.1-5.el7.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 Master: [root at lolpr-idm-mstr ~]# rpm -qa | grep ipa ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64 iniparser-3.1-5.el7.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 python-iniparse-0.4-9.el7.noarch ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-admintools-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 --- So I tried using ipa-replica-manage disconnect: --- [root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' --- [root at lolpr-idm-mstr ~]# --- How do I force delete the replication agreements between the two hosts in this case? Thanks in advance for any help! Traiano From ellertalexandre at gmail.com Thu Sep 17 11:42:38 2015 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Thu, 17 Sep 2015 13:42:38 +0200 Subject: [Freeipa-users] Failed to start pki-tomcatd Service In-Reply-To: References: <20150722160802.GA21928@redhat.com> <20150722164042.GB21928@redhat.com> <55B087C9.3060900@redhat.com> <20150723064133.GE21928@redhat.com> <20150728035937.GG21928@redhat.com> <20150828150920.GV22106@redhat.com> <9859EB0E-319F-450E-8ABC-D682C8DC8836@gmail.com> <20150828154119.GY22106@redhat.com> <3FE94CE3-CCC8-4B2A-AA40-9736F66BBDB5@gmail.com> <55E9AC8C.2080907@redhat.com> Message-ID: My FreeIPA PKI is totally broken since upgrade from 3.0 (RHEL 6.6) to 4.1 (RHEL 7.1) This thread started on July and still no resolution... Can someone please advice ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Thu Sep 17 11:42:54 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 17 Sep 2015 11:42:54 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150915123638.GN2884@hendrix> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> Message-ID: <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule Rule name: ad_linux_admins Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_linux_admins <- if I remove this then the rule gets applied Sudo Option: !authenticate -andy > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, September 15, 2015 8:37 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > Sorry for not replying sooner, many of us were mostly offline last week. > > I'll try to reproduce locally.. > > On Tue, Sep 15, 2015 at 12:24:45PM +0000, Andy Thompson wrote: > > I just updated several machines to RHEL 6.7 and seem to have broken my > sudo rules. I've tracked the problem down to having > > > > Default_domain_suffix = ad.domain > > > > In the sssd.conf. If I remove that I can login using the fqn from AD and > sudo rules are applied as configured. However I don't want to force my users > to change to using their fqn to login, and due to having db2 in the > environment our usernames are limited to 8 characters so we cannot use the > fqn regardless. > > > > I tested adding a local sudo rule for %ad_domain_group at ipa.domain and it > worked, but any IPA rules are not working. A rule in the sudoers would not > work unless it was a fqn either which I expected with the default domain > suffix set. > > > > Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test > downgrading my sssd, which I'm not entirely opposed to in order to get > things working, but there are some fixes in this release I kinda want to keep. > > > > -andy > > > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pvoborni at redhat.com Thu Sep 17 11:58:42 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Sep 2015 13:58:42 +0200 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers In-Reply-To: <55FAA0DB.80201@redhat.com> References: <55FAA0DB.80201@redhat.com> Message-ID: <55FAAAF2.9070904@redhat.com> On 09/17/2015 01:15 PM, Martin Kosek wrote: > On 09/16/2015 06:54 PM, Craig White wrote: >> Virtually completed the steps listed here... >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off. >> >> ipa-replica-manage del ipa1.stt.local --force >> Connection to 'ipa1.stt.local' failed: >> Forcing removal of ipa1.stt.local >> Skipping calculation to determine if one or more masters would be orphaned. >> No RUV records found. >> >> $ ipa-replica-manage del ipa1.stt.local --force -c >> Connection to 'ipa1.stt.local' failed: >> Forcing removal of ipa1.stt.local >> Skipping calculation to determine if one or more masters would be orphaned. >> No RUV records found. >> >> $ ipa-replica-manage list >> ipa1.stt.local: master >> ipa3.stt.local: master >> ipa4.stt.local: master >> >> Obviously connection to ipa1 failed because in previous step, I had to shut it down on ipa1 (ipactl stop) >> >> What's the trick to get rid of an old, discontinued 'master' ? >> >> Craig White > > Quickly looking at ipa-replica-manage code, the del command will end if there > is no RUV. So it seems that in some of your previous RUV was deleted, but > server record was not. > > What does > # ipa-replica-manage list-ruv > show? > > Petr or Honza, is the only option here to > 1) Use ldapdelete to delete the master record in cn=masters as a hotfix for > this issue It will fix the replica manage output but replica cleanup does more things than just a removal of master entry. It also: deletes services of the host removes s4u2proxy configuration removes some ACIs More info: https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/replication.py#n1185 > 2) File a ticket to avoid get_ruv function exit the whole "del" command when > --force is in play to fix this long-term https://fedorahosted.org/freeipa/ticket/5307 > >> -- Petr Vobornik From APtashnik at cccis.com Thu Sep 17 14:25:58 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Thu, 17 Sep 2015 14:25:58 +0000 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> References: <20150916134332.GQ6168@redhat.com> <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> Message-ID: <7F7367ED-0EB6-4F41-BC27-278528768E64@cccis.com> Any ideas on that? Regards, Andrey Ptashnik | Network Architect CCC Information Services Inc. 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptashnik at cccis.com On 9/16/15, 11:30 AM, "freeipa-users-bounces at redhat.com on behalf of Andrey Ptashnik" wrote: >Alexander, > >Thank you for your feedback! > >In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. > >[root at ptr-test-6 ~]# yum list installed | grep ipa >ipa-client.x86_64 3.0.0-47.el6 >ipa-python.x86_64 3.0.0-47.el6 > > >[root at ptr-test-6 ~]# yum list installed | grep sssd >python-sssdconfig.noarch 1.12.4-47.el6 >sssd.x86_64 1.12.4-47.el6 >sssd-ad.x86_64 1.12.4-47.el6 >sssd-client.x86_64 1.12.4-47.el6 >sssd-common.x86_64 1.12.4-47.el6 >sssd-common-pac.x86_64 1.12.4-47.el6 >sssd-ipa.x86_64 1.12.4-47.el6 >sssd-krb5.x86_64 1.12.4-47.el6 >sssd-krb5-common.x86_64 1.12.4-47.el6 >sssd-ldap.x86_64 1.12.4-47.el6 >sssd-proxy.x86_64 1.12.4-47.el6 >[root at ptr-test-6 ~]# > > >And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: > ># ipa-client-install --enable-dns-updates --ssh-trust-dns ?mkhomedir > >DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. > >Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: > >Synchronizing time with KDC... >Enrolled in IPA realm XXXXXXXXX.COM >Attempting to get host TGT... >Created /etc/ipa/default.conf >New SSSD config will be created >Configured sudoers in /etc/nsswitch.conf >Configured /etc/sssd/sssd.conf >Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM >trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml >Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >Failed to update DNS records. >Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >SSSD enabled >Configuring XXXXXXXXX.COM as NIS domain >Configured /etc/openldap/ldap.conf >NTP enabled >Configured /etc/ssh/ssh_config >Configured /etc/ssh/sshd_config >Client configuration complete. > > >Regards, > >Andrey Ptashnik > > > > > > >On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: > >>On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>Dear IPA Team, >>> >>>We have a situation in our datacenter where we deployed Red Hat 7.1 >>>with IPA server 4.1 and on the other hand we still have older machines >>>with Red Hat 5 and 6. I noticed that repositories associated with >>>version 6 have older version of the client software ? v.3.0. Therefore >>>some functionality is missing from client package 3 vs 4, like >>>automatic update of both forward and reverse DNS records. >>> >>>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>much breaking dependencies in OS? >>You don't need to install IPA python packages on older machines. These >>packages are mostly for administration purposes. >> >>Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>version of SSSD is on par with RHEL 7 version in the recent updates. >>Additionally, MIT Kerberos backports were done in the recent updates to >>allow OTP functionality in RHEL6 as well. So most of features are there >>already, client-wise. >> >>RHEL5 version does not have such updates and you can implement most of >>the support with existing SSSD and output of 'ipa-advise' tool on IPA >>masters. nsupdate integration would probably need to be done >>differently. >> >>Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>much sense. >> >>-- >>/ Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From ranger at opennms.org Thu Sep 17 14:48:02 2015 From: ranger at opennms.org (Benjamin Reed) Date: Thu, 17 Sep 2015 10:48:02 -0400 Subject: [Freeipa-users] Missing data encountered + Incremental update failed and requires administrator action In-Reply-To: <55DABCBB.2010107@redhat.com> References: <55D75D1D.7060505@opennms.org> <55DABCBB.2010107@redhat.com> Message-ID: <55FAD2A2.1090108@opennms.org> Sorry it's taken a while to get back to you, I was gone for a few weeks. This seemed to get us back up and running and things looked like they were working, but looking at the logs, it appears we're hitting the next issue that is going to eventually bite us. :) Here's what I'm seeing in the logs: > [15/Sep/2015:08:57:29 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "david": 32 > [15/Sep/2015:09:56:20 -0400] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "emily": 32 > [15/Sep/2015:09:56:20 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "emily": 32 > [15/Sep/2015:11:50:34 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] > No original_tombstone for changenumber=102502,cn=changelog!! > [15/Sep/2015:12:02:19 -0400] ipalockout_preop - [file ipa_lockout.c, > line 749]: Failed to retrieve entry "tina": 32 > [15/Sep/2015:12:02:19 -0400] ipalockout_postop - [file ipa_lockout.c, > line 503]: Failed to retrieve entry "tina": 32 I've found some references to this stuff in google searches, but I'm not real clear on what the implications are, nor how to go about understanding it well enough to know the right fix. There are two hosts (ipa and ipa2). These logs are from the "ipa" server, the one I had to rebuild. I do eventually get this: > [15/Sep/2015:12:58:46 -0400] NSMMReplicationPlugin - > agmt="cn=meToipa2.XXX" (ipa2:389): Replication bind with GSSAPI auth > resumed ...but the original_tombstone thing makes me thing something is still not in sync. Any clues as to what else I might need to do to make sure this server is back in 100% working order? Thanks, Ben On 8/24/15 2:42 AM, Martin Kosek wrote: >> > I fear this means that something is still not properly in sync and will >> > eventually come back to bite me. Any ideas what's going on here, and >> > how to fix it? > Yup, this looks as something that can eventually bite you. It looks like your > replica's CA database got somehow corrupted and stopped replicating with other > master. This could lead to outdated data on the replica, like certificates, > CRL, etc. > > You can re-initialize the Dogtag database from other healthy master with CA, > using "ipa-csreplica-manage" command. Some advise should be for example here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#initialize > > (Note that we need "ipa-csreplica-manage" in this case, as the reported faulty > agreement is Dogtag/CA agreement) -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From pvoborni at redhat.com Thu Sep 17 14:53:10 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Sep 2015 16:53:10 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.2.1 Message-ID: <55FAD3D6.7020509@redhat.com> The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository . This announcement is also available at . == Highlights in 4.2.1 == === Enhancements === * Added support for multiple IP addresses during client installation === Bug fixes === * Various fixes for new Vault feature * Various fixes for new Certificates Profiles feature * Fixed ACI issue in search for hbac rules, sudo rules, users and other IPA objects by non-admin users * Backup and restore fixes, mostly related to DNSSEC * ipa-client-install is able to request a certificate in kickstart environment * Fixed server upgrade failure in "Enabling KDC proxy" step * Added option to establish bidirectional trust in Web UI == Upgrading == Upgrade instructions are available on Upgrade page . == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.2.0 == === Alexander Bokovoy (5) === * selinux: enable httpd_run_ipa to allow communicating with oddjobd services * oddjob: avoid chown keytab to sssd if sssd user does not exist * Fix selector of protocol for LSA RPC binding string * trusts: harden trust-fetch-domains oddjobd-based script * trusts: format Kerberos principal properly when fetching trust topology === Christian Heimes (10) === * Start dirsrv for kdcproxy upgrade * Fix selinux denial during kdcproxy user creation * certprofile-import: improve profile format documentation * otptoken: use ipapython.nsslib instead of Python's ssl module * Require Dogtag PKI >= 10.2.6 * Validate vault's file parameters * certprofile-import: do not require profileId in profile data * Asymmetric vault: validate public key in client * Add flag to list all service and user vaults * Change internal rsa_(public|private)_key variable names === David Kupka (9) === * migration: Use api.env variables. * cermonger: Use private unix socket when DBus SystemBus is not available. * ipa-client-install: Do not (re)start certmonger and DBus daemons. * user-undel: Fix error messages. * client: Add support for multiple IP addresses during installation. * client: Add description of --ip-address and --all-ip-addresses to man page * Backup/resore authentication control configuration * vault: Limit size of data stored in vault * ipactl: Do not start/stop/restart single service multiple times === Endi Sukma Dewata (6) === * Fixed missing KRA agent cert on replica. * Added CLI param and ACL for vault service operations. * Fixed vault container ownership. * Added support for changing vault encryption. * Removed clear text passwords from KRA install log. * Using LDAPI to setup CA and KRA agents. === Fraser Tweedale (14) === * user-show: add --out option to save certificates to file * Fix otptoken-remove-managedby command summary * Give more info on virtual command access denial * Allow SAN extension for cert-request self-service * Add profile for DNP3 / IEC 62351-8 certificates * Work around python-nss bug on unrecognised OIDs * Fix default CA ACL added during upgrade * Fix KRB5PrincipalName / UPN SAN comparison * certprofile: add profile format explanation * Add permission for bypassing CA ACL enforcement * Prohibit deletion of predefined profiles * cert-request: remove allowed extensions check * certprofile: prevent rename (modrdn) * certprofile: remove 'rename' option === Jan Cholasta (14) === * spec file: Move /etc/ipa/kdcproxy to the server subpackage * spec file: Update minimum required version of krb5 * install: Fix server and replica install options * ULC: Prevent preserved users from being assigned membership * spec file: Fix install with the server-dns subpackage * baseldap: Allow overriding member param label in LDAPModMember * vault: Fix param labels in output of vault owner commands * install: Fix replica install with custom certificates * vault: Fix vault-find with criteria * vault: Add container information to vault command results * spec file: Add Requires(post) on selinux-policy * cert renewal: Include KRA users in Dogtag LDAP update * cert renewal: Automatically update KRA agent PEM file * ldap: Make ldap2 connection management thread-safe again === Lenka Doudova (2) === * Automated test for stageuser plugin * Fix user tracker to reflect new user-del message === Martin Babinsky (12) === * ipa-ca-install: print more specific errors when CA is already installed * enable debugging of ntpd during client installation * fix broken search for users by their manager * ACI plugin: correctly parse bind rules enclosed in parentheses * test suite for user/host/service certificate management API commands * store certificates issued for user entries as userCertificate;binary * idranges: raise an error when local IPA ID range is being modified * fix typo in BasePathNamespace member pointing to ods exporter config * ipa-backup: archive DNSSEC zone file and kasp.db * ipa-restore: check whether DS is running before attempting connection * improve the handling of krb5-related errors in dnssec daemons * improve the usability of `ipa user-del --preserve` command === Martin Ba?ti (23) === * Prevent to rename certprofile profile id * Stageusedr-activate: show username instead of DN * copy-schema-to-ca: allow to overwrite schema files * fix selinuxusermap search for non-admin users * Validate adding privilege to a permission * sysrestore: copy files instead of moving them to avoind SELinux issues * Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand * Py3: replace tab with space * DNS: Consolidate DNS RR types in API and schema * DNS: check if DNS package is installed * Remove ico files from Makefile * Use 'mv -Z' in specfile to restore SELinux context * ULC: Fix stageused-add --from-delete command * Fix upgrade of sidgen and extdom plugins * Add dependency to SSSD 1.13.1 * Server Upgrade: Start DS before CA is started. * Add user-stage command * DNSSEC: fix forward zone forwarders checks * DNSSEC: remove "DNSSEC is experimental" warnings * Backup: back up the hosts file * Installer: do not modify /etc/hosts before user agreement * DNSSEC: backup and restore opendnssec zone list file * DNSSEC: remove ccache and keytab of ipa-ods-exporter === Milan Kub?k (4) === * ipalib: pass api instance into textui in doctest snippets * spec file: update the python package names for libipa_hbac and libsss_nss_idmap * tests: Allow Tracker.dn be an instance of Fuzzy * ipatests: Take otptoken import test out of execution === Oleg Fayans (2) === * Added a user-friendly output to an import error * Temporary fix for ticket 5240 === Petr Voborn?k (17) === * Become IPA 4.2.0 * do not import memcache on client * webui: fix user reset password dialog * fix hbac rule search for non-admin users * webui: add Kerberos configuration instructions for Chrome * webui: fix regressions failed auth messages * webui: add LDAP vs Kerberos behavior description to user auth types * adjust search so that it works for non-admin users * validate mutually exclusive options in vault-add * add permission: System: Manage User Certificates * vault: normalize service principal in service vault operations * vault: validate vault type * vault: change default vault type to symmetric * fix missing information in object metadata * webui: add option to establish bidirectional trust * vault: fix vault tests after default type change * Become IPA 4.2.1 === Petr ?pa?ek (6) === * Create server-dns sub-package. * DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart * DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction * DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master * DNSSEC: Fix key metadata export * DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. === Rob Crittenden (1) === * Use %license instead of %doc for packaging the license === Simo Sorce (1) === * Fix DNS records installation for replicas === Stanislav Laznicka (1) === * ipa-client-install: warn when IP used in --server === Tom?? Babej (24) === * ipalib: Fix missing format for InvalidDomainLevelError * trusts: Check for AD root domain among our trusted domains * ipaplatform: Add constants submodule * tests: user_plugin: Add preserved flag when --all is used * dcerpc: Expand explanation for WERR_ACCESS_DENIED * idviews: Check for the Default Trust View only if applying the view * tests: service_plugin: Make sure the cert is decoded from base64 * tests: realmdomains_plugin: Add explanatory comment * tests: Version is currently generated during command call * tests: vault_plugin: Skip tests if KRA not available * tests: test_rpc: Create connection for the current thread * tests: test_cert: Services can have multiple certificates * dcerpc: Fix UnboundLocalError for ccache_name * dcerpc: Add get_trusted_domain_object_type method * idviews: Restrict anchor to name and name to anchor conversions * idviews: Enforce objectclass check in idoverride*-del * replication: Fix incorrect exception invocation * Fix incorrect type comparison in trust-fetch-domains * dcerpc: Simplify generation of LSA-RPC binding strings * adtrust-install: Correctly determine 4.2 FreeIPA servers * trusts: Detect domain clash with IPA domain when adding a AD trust * trusts: Detect missing Samba instance * winsync-migrate: Add warning about passsync * winsync-migrate: Expand the man page === Yuri Chornoivan (1) === * Fix minor typos -- Petr Vobornik From mbasti at redhat.com Thu Sep 17 15:07:04 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 17 Sep 2015 17:07:04 +0200 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> References: <20150916134332.GQ6168@redhat.com> <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> Message-ID: <55FAD718.3010103@redhat.com> On 09/16/2015 06:30 PM, Andrey Ptashnik wrote: > Alexander, > > Thank you for your feedback! > > In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. > > [root at ptr-test-6 ~]# yum list installed | grep ipa > ipa-client.x86_64 3.0.0-47.el6 > ipa-python.x86_64 3.0.0-47.el6 > > > [root at ptr-test-6 ~]# yum list installed | grep sssd > python-sssdconfig.noarch 1.12.4-47.el6 > sssd.x86_64 1.12.4-47.el6 > sssd-ad.x86_64 1.12.4-47.el6 > sssd-client.x86_64 1.12.4-47.el6 > sssd-common.x86_64 1.12.4-47.el6 > sssd-common-pac.x86_64 1.12.4-47.el6 > sssd-ipa.x86_64 1.12.4-47.el6 > sssd-krb5.x86_64 1.12.4-47.el6 > sssd-krb5-common.x86_64 1.12.4-47.el6 > sssd-ldap.x86_64 1.12.4-47.el6 > sssd-proxy.x86_64 1.12.4-47.el6 > [root at ptr-test-6 ~]# > > > And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: > > # ipa-client-install --enable-dns-updates --ssh-trust-dns ?mkhomedir > > DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. Do you have enables PTR sync in forward zone configuration and do you have allowed dynamic updates for reverse zones? How does the ipa41 client work, does it populate PTR record? > > Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: > > Synchronizing time with KDC... > Enrolled in IPA realm XXXXXXXXX.COM > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM > trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml > Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' > Failed to update DNS records. > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' > SSSD enabled > Configuring XXXXXXXXX.COM as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete. > > > Regards, > > Andrey Ptashnik > > > > > > > On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: > >> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>> Dear IPA Team, >>> >>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>> with IPA server 4.1 and on the other hand we still have older machines >>> with Red Hat 5 and 6. I noticed that repositories associated with >>> version 6 have older version of the client software ? v.3.0. Therefore >>> some functionality is missing from client package 3 vs 4, like >>> automatic update of both forward and reverse DNS records. >>> >>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>> much breaking dependencies in OS? >> You don't need to install IPA python packages on older machines. These >> packages are mostly for administration purposes. >> >> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >> version of SSSD is on par with RHEL 7 version in the recent updates. >> Additionally, MIT Kerberos backports were done in the recent updates to >> allow OTP functionality in RHEL6 as well. So most of features are there >> already, client-wise. >> >> RHEL5 version does not have such updates and you can implement most of >> the support with existing SSSD and output of 'ipa-advise' tool on IPA >> masters. nsupdate integration would probably need to be done >> differently. >> >> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >> much sense. >> >> -- >> / Alexander Bokovoy From rcritten at redhat.com Thu Sep 17 15:32:32 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Sep 2015 11:32:32 -0400 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: <7F7367ED-0EB6-4F41-BC27-278528768E64@cccis.com> References: <20150916134332.GQ6168@redhat.com> <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> <7F7367ED-0EB6-4F41-BC27-278528768E64@cccis.com> Message-ID: <55FADD10.7030107@redhat.com> Andrey Ptashnik wrote: > Any ideas on that? /var/log/ipaclient-install.log probably has more details on the DNS update failure. rob > > Regards, > > Andrey Ptashnik | Network Architect > CCC Information Services Inc. > 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 > Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptashnik at cccis.com > > > > > > > > On 9/16/15, 11:30 AM, "freeipa-users-bounces at redhat.com on behalf of Andrey Ptashnik" wrote: > >> Alexander, >> >> Thank you for your feedback! >> >> In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. >> >> [root at ptr-test-6 ~]# yum list installed | grep ipa >> ipa-client.x86_64 3.0.0-47.el6 >> ipa-python.x86_64 3.0.0-47.el6 >> >> >> [root at ptr-test-6 ~]# yum list installed | grep sssd >> python-sssdconfig.noarch 1.12.4-47.el6 >> sssd.x86_64 1.12.4-47.el6 >> sssd-ad.x86_64 1.12.4-47.el6 >> sssd-client.x86_64 1.12.4-47.el6 >> sssd-common.x86_64 1.12.4-47.el6 >> sssd-common-pac.x86_64 1.12.4-47.el6 >> sssd-ipa.x86_64 1.12.4-47.el6 >> sssd-krb5.x86_64 1.12.4-47.el6 >> sssd-krb5-common.x86_64 1.12.4-47.el6 >> sssd-ldap.x86_64 1.12.4-47.el6 >> sssd-proxy.x86_64 1.12.4-47.el6 >> [root at ptr-test-6 ~]# >> >> >> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: >> >> # ipa-client-install --enable-dns-updates --ssh-trust-dns ?mkhomedir >> >> DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. >> >> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: >> >> Synchronizing time with KDC... >> Enrolled in IPA realm XXXXXXXXX.COM >> Attempting to get host TGT... >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM >> trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml >> Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >> Failed to update DNS records. >> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >> Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >> SSSD enabled >> Configuring XXXXXXXXX.COM as NIS domain >> Configured /etc/openldap/ldap.conf >> NTP enabled >> Configured /etc/ssh/ssh_config >> Configured /etc/ssh/sshd_config >> Client configuration complete. >> >> >> Regards, >> >> Andrey Ptashnik >> >> >> >> >> >> >> On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: >> >>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>> Dear IPA Team, >>>> >>>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>>> with IPA server 4.1 and on the other hand we still have older machines >>>> with Red Hat 5 and 6. I noticed that repositories associated with >>>> version 6 have older version of the client software ? v.3.0. Therefore >>>> some functionality is missing from client package 3 vs 4, like >>>> automatic update of both forward and reverse DNS records. >>>> >>>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>> much breaking dependencies in OS? >>> You don't need to install IPA python packages on older machines. These >>> packages are mostly for administration purposes. >>> >>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>> version of SSSD is on par with RHEL 7 version in the recent updates. >>> Additionally, MIT Kerberos backports were done in the recent updates to >>> allow OTP functionality in RHEL6 as well. So most of features are there >>> already, client-wise. >>> >>> RHEL5 version does not have such updates and you can implement most of >>> the support with existing SSSD and output of 'ipa-advise' tool on IPA >>> masters. nsupdate integration would probably need to be done >>> differently. >>> >>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>> much sense. >>> >>> -- >>> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From CWhite at skytouchtechnology.com Thu Sep 17 16:19:01 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 17 Sep 2015 16:19:01 +0000 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers In-Reply-To: <55FAAAF2.9070904@redhat.com> References: <55FAA0DB.80201@redhat.com> <55FAAAF2.9070904@redhat.com> Message-ID: -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, September 17, 2015 4:59 AM To: Martin Kosek; Craig White; freeipa-users at redhat.com; Jan Cholasta Subject: Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers On 09/17/2015 01:15 PM, Martin Kosek wrote: > On 09/16/2015 06:54 PM, Craig White wrote: >> Virtually completed the steps listed here... >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrat >> ing-ipa-proc.html >> >> Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off. >> >> ipa-replica-manage del ipa1.stt.local --force Connection to >> 'ipa1.stt.local' failed: >> Forcing removal of ipa1.stt.local >> Skipping calculation to determine if one or more masters would be orphaned. >> No RUV records found. >> >> $ ipa-replica-manage del ipa1.stt.local --force -c Connection to >> 'ipa1.stt.local' failed: >> Forcing removal of ipa1.stt.local >> Skipping calculation to determine if one or more masters would be orphaned. >> No RUV records found. >> >> $ ipa-replica-manage list >> ipa1.stt.local: master >> ipa3.stt.local: master >> ipa4.stt.local: master >> >> Obviously connection to ipa1 failed because in previous step, I had >> to shut it down on ipa1 (ipactl stop) >> >> What's the trick to get rid of an old, discontinued 'master' ? >> >> Craig White > > Quickly looking at ipa-replica-manage code, the del command will end > if there is no RUV. So it seems that in some of your previous RUV was > deleted, but server record was not. > > What does > # ipa-replica-manage list-ruv > show? > > Petr or Honza, is the only option here to > 1) Use ldapdelete to delete the master record in cn=masters as a > hotfix for this issue It will fix the replica manage output but replica cleanup does more things than just a removal of master entry. It also: deletes services of the host removes s4u2proxy configuration removes some ACIs More info: https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/replication.py#n1185 > 2) File a ticket to avoid get_ruv function exit the whole "del" > command when --force is in play to fix this long-term https://fedorahosted.org/freeipa/ticket/5307 ---- OK - I think I see the LDAP entries and just wanting confirmation before I do great harm :-) Dn: cn=ipa1.stt.local,cn=masters,cn=ipa,cn=etc,dc=stt,dc=local Dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=stt,dc=local - attribute memberPrincipal ipa1_ETC Dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=stt,dc=local - attribute memberPrincipal ipa1_ETC The one DN and the 2 attributes are what I should delete to get rid of this dead master? Rummaging around, I do see other hanging chads (pardon the election season humor)... DN: dnaHostname ipa1.stt.local + 0,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently 'dnaPortNum 0 and dnaSecurePortNum 636) DN: dnaHostname ipa1.stt.local + 389,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently 'dnaPortNum 389 and dnaSecurePortNum 636) And if I were to delete the first one, there wouldn't be any entries pointing to port '0' but that just looks strange to me anyway. If I delete both the above, then all that is left is just the 2 new RHEL 7 IPA/iDM servers on ports 389/636 which seems right to me. If there are actual ACI's to edit, I am afraid I don't have a tool to do that very easily. Thanks Craig From janellenicole80 at gmail.com Thu Sep 17 16:43:41 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 17 Sep 2015 09:43:41 -0700 Subject: [Freeipa-users] 4.1 -> 4.2 Message-ID: <55FAEDBD.6050503@gmail.com> Here is an interesting problem. Currently running 4.1 on RHEL 7.1 -- I would like to migrate to 4.2, but that seems to only be running on Fedora these days. Is there a way to bring up a 4.2.1c and migrate to it from 4.1c using the ipa migrate tool? Or is theree another way possible?? thank you ~Janelle From abokovoy at redhat.com Thu Sep 17 17:20:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 17 Sep 2015 20:20:01 +0300 Subject: [Freeipa-users] 4.1 -> 4.2 In-Reply-To: <55FAEDBD.6050503@gmail.com> References: <55FAEDBD.6050503@gmail.com> Message-ID: <20150917172001.GC6168@redhat.com> On Thu, 17 Sep 2015, Janelle wrote: >Here is an interesting problem. Currently running 4.1 on RHEL 7.1 -- I >would like to migrate to 4.2, but that seems to only be running on >Fedora these days. Is there a way to bring up a 4.2.1c and migrate to >it from 4.1c using the ipa migrate tool? Or is theree another way >possible?? Just wait for RHEL 7.2 release. Beta version is already out and it includes IPA 4.2. http://red.ht/1i65UND -- / Alexander Bokovoy From gustavo.mateus at gmail.com Thu Sep 17 17:33:41 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Thu, 17 Sep 2015 10:33:41 -0700 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150917072515.GP14560@hendrix.arn.redhat.com> References: <20150917072515.GP14560@hendrix.arn.redhat.com> Message-ID: When I use id_provider=ipa I get: [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] Adding a [ssh] section with just "debug_level = 10"on it, I get: (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[1742200001] egid[1742200001] pid[6295]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [admin][] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [admin] from [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40aba0:1:admin at default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][1][1][name=admin] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40aba0:1:admin at default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0xd310f0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [admin at default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xd3f3b0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xd3f470 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0xd3f470 "ltdb_timeout" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40aba0:1:admin at default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0xd34eb0][17] ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb name=admin): asq: Unable to register control with rootdse! # record 1 dn: name=admin,cn=users,cn=default,cn=sysdb createTimestamp: 1442509579 fullName: Administrator gecos: Administrator gidNumber: 1742200000 homeDirectory: /home/admin loginShell: /bin/bash name: admin objectClass: user uidNumber: 1742200000 originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com originalModifyTimestamp: 20150829000451Z entryUSN: 1428 lastUpdate: 1442509579 dataExpireTimestamp: 1442514979 distinguishedName: name=admin,cn=users,cn=default,cn=sysdb # returned 1 records # 1 entries # 0 referrals Thanks, Gustavo On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek wrote: > On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > > Hi, > > > > I have an IPA server running on redhat and I'm trying find the best way > to > > get my amazon linux instances to use it for authentication, ssh key > > management and sudo rules. > > > > I'm now trying to use SSSD to achieve those goals. Authentication is > > working but I'm having problems to get the user public ssh keys using > > /usr/bin/sss_ssh_authorizedkeys. > > > > > > This is my sssd.conf: > > > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > domains = default > > re_expression = (?P.+) > > > > [domain/default] > > debug_level = 8 > > cache_credentials = True > > id_provider = ldap > > auth_provider = ldap > > ldap_uri = ldap://ipa.my.domain.com > > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com > > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > > ldap_user_ssh_public_key = ipaSshPubKey > > > > > > The original configuration was done using ipa-advise ipa-advise > > config-redhat-sssd-before-1-9. > > Is there any particular reason do keep doing this versus joining the > client to the domain and using id_provider=ipa ? > > > I just hanged the services parameter to > > include "ssh, sudo" and "ldap_user_ssh_public_key" > > I don't think sudo would work unless you authenticate the LDAP > connection. > > > > > When I run it on the client I get no response or error. Even running it > in > > debug mode: > > > > /usr/bin/sss_ssh_authorizedkeys admin --debug 10 > > I would check if: > - debug_level in the [ssh] section reveals anything. Is the ssh > responder being contacted, are there any errors? > - check with ldbsearch (ldb-tools package) if there ssh key > attribute is really fetched from IPA LDAP and is stored along the > user entry > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Sep 17 19:04:10 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Sep 2015 21:04:10 +0200 Subject: [Freeipa-users] Missing data encountered + Incremental update failed and requires administrator action In-Reply-To: <55FAD2A2.1090108@opennms.org> References: <55D75D1D.7060505@opennms.org> <55DABCBB.2010107@redhat.com> <55FAD2A2.1090108@opennms.org> Message-ID: <55FB0EAA.2070901@redhat.com> On 09/17/2015 04:48 PM, Benjamin Reed wrote: > Sorry it's taken a while to get back to you, I was gone for a few > weeks. This seemed to get us back up and running and things looked like > they were working, but looking at the logs, it appears we're hitting the > next issue that is going to eventually bite us. :) > > Here's what I'm seeing in the logs: > >> [15/Sep/2015:08:57:29 -0400] ipalockout_postop - [file ipa_lockout.c, >> line 503]: Failed to retrieve entry "david": 32 >> [15/Sep/2015:09:56:20 -0400] ipalockout_preop - [file ipa_lockout.c, >> line 749]: Failed to retrieve entry "emily": 32 >> [15/Sep/2015:09:56:20 -0400] ipalockout_postop - [file ipa_lockout.c, >> line 503]: Failed to retrieve entry "emily": 32 >> [15/Sep/2015:11:50:34 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] >> No original_tombstone for changenumber=102502,cn=changelog!! >> [15/Sep/2015:12:02:19 -0400] ipalockout_preop - [file ipa_lockout.c, >> line 749]: Failed to retrieve entry "tina": 32 >> [15/Sep/2015:12:02:19 -0400] ipalockout_postop - [file ipa_lockout.c, >> line 503]: Failed to retrieve entry "tina": 32 > > I've found some references to this stuff in google searches, but I'm not > real clear on what the implications are, nor how to go about > understanding it well enough to know the right fix. This is https://fedorahosted.org/freeipa/ticket/4889. So it should be benign, it just seems that some software of yours is using user name instead of DN to log user in. More info in the ticket. > > There are two hosts (ipa and ipa2). These logs are from the "ipa" > server, the one I had to rebuild. I do eventually get this: > >> [15/Sep/2015:12:58:46 -0400] NSMMReplicationPlugin - >> agmt="cn=meToipa2.XXX" (ipa2:389): Replication bind with GSSAPI auth >> resumed > > ...but the original_tombstone thing makes me thing something is still > not in sync. This message is actually OK, it means replication plugin was connected. Not sure about the tombstone though, if you are still hitting issues, I would suggest including bigger chunk of your server logs. > Any clues as to what else I might need to do to make sure this server is > back in 100% working order? > > Thanks, > Ben > > On 8/24/15 2:42 AM, Martin Kosek wrote: >>>> I fear this means that something is still not properly in sync and will >>>> eventually come back to bite me. Any ideas what's going on here, and >>>> how to fix it? >> Yup, this looks as something that can eventually bite you. It looks like your >> replica's CA database got somehow corrupted and stopped replicating with other >> master. This could lead to outdated data on the replica, like certificates, >> CRL, etc. >> >> You can re-initialize the Dogtag database from other healthy master with CA, >> using "ipa-csreplica-manage" command. Some advise should be for example here: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#initialize >> >> (Note that we need "ipa-csreplica-manage" in this case, as the reported faulty >> agreement is Dogtag/CA agreement) > From janellenicole80 at gmail.com Thu Sep 17 19:37:25 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 17 Sep 2015 12:37:25 -0700 Subject: [Freeipa-users] 4.1 -> 4.2 In-Reply-To: <20150917172001.GC6168@redhat.com> References: <55FAEDBD.6050503@gmail.com> <20150917172001.GC6168@redhat.com> Message-ID: <55FB1675.7090503@gmail.com> thank you - just downloaded the beta to check it out. ~J On 9/17/15 10:20 AM, Alexander Bokovoy wrote: > On Thu, 17 Sep 2015, Janelle wrote: >> Here is an interesting problem. Currently running 4.1 on RHEL 7.1 -- >> I would like to migrate to 4.2, but that seems to only be running on >> Fedora these days. Is there a way to bring up a 4.2.1c and migrate >> to it from 4.1c using the ipa migrate tool? Or is theree another way >> possible?? > Just wait for RHEL 7.2 release. Beta version is already out and it > includes IPA 4.2. > > http://red.ht/1i65UND > From hectorl at alumni.usc.edu Thu Sep 17 22:24:02 2015 From: hectorl at alumni.usc.edu (HECTOR LOPEZ) Date: Thu, 17 Sep 2015 15:24:02 -0700 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding Message-ID: This is rhel 7.1 with ipa version 4.1.0 user-show shows the user. However, if the user contains ipaNTSecurityIdentifier: attribute, user-del hangs with no response. Meanwhile, the KDC and 389ds stop working. The only way to recover functionality is to reboot the machine. ipactl restart does nothing. In the ldap access log I see this when trying to delete user sclown: [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 nentries=0 etime=0 [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 nentries=0 etime=0 [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 nentries=0 etime=0 [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName userCertificate version algorithmId signingAlgorithmId publicKeyData" [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z 1:0 (0) [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 nentries=0 etime=0 [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName userCertificate version algorithmId signingAlgorithmId publicKeyData" [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z 1:10 (0) [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo notAfter notBefore duration extension subjectName userCertificate version algorithmId signingAlgorithmId publicKeyData" [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z 0:0 (0) [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND Then in the ldap error log I see this, which makes me think there is a problem with the changelog: [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for changenumber=91314,cn=changelog from entryrdn index (-30993) [14/Sep/2015:09:30:03 -0700] - Operation error fetching changenumber=91314,cn=changelog (null), error -30993. [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error occured while adding change number 91314, dn = changenumber=91314,cn=changelog: Operations error. [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: operation failure [1] After this both kdc and ldap stop responding. In the krb5kdc.log I see server errors after the user-del command is run. The only way to resume normal operations is to restart the whole machine. ipactl restart doesn't work. Any help would be highly appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Sep 18 07:46:16 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Sep 2015 09:46:16 +0200 Subject: [Freeipa-users] 4.1 -> 4.2 In-Reply-To: <55FB1675.7090503@gmail.com> References: <55FAEDBD.6050503@gmail.com> <20150917172001.GC6168@redhat.com> <55FB1675.7090503@gmail.com> Message-ID: <55FBC148.90600@redhat.com> Good to hear! Feedback is very welcome :-) On 09/17/2015 09:37 PM, Janelle wrote: > thank you - just downloaded the beta to check it out. > > ~J > > On 9/17/15 10:20 AM, Alexander Bokovoy wrote: >> On Thu, 17 Sep 2015, Janelle wrote: >>> Here is an interesting problem. Currently running 4.1 on RHEL 7.1 -- I would >>> like to migrate to 4.2, but that seems to only be running on Fedora these >>> days. Is there a way to bring up a 4.2.1c and migrate to it from 4.1c using >>> the ipa migrate tool? Or is theree another way possible?? >> Just wait for RHEL 7.2 release. Beta version is already out and it >> includes IPA 4.2. >> >> http://red.ht/1i65UND >> > From lkrispen at redhat.com Fri Sep 18 07:52:11 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 18 Sep 2015 09:52:11 +0200 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: References: Message-ID: <55FBC2AB.7060302@redhat.com> On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: > This is rhel 7.1 with ipa version 4.1.0 > > user-show shows the user. However, if the user contains > ipaNTSecurityIdentifier: attribute, user-del hangs with no response. > > Meanwhile, the KDC and 389ds stop working. The only way to recover > functionality is to reboot the machine. ipactl restart does nothing. If it hangs again, could you get a pstack of the slapd process ? If you then kill slapd, does ipactl restart work ? > > In the ldap access log I see this when trying to delete user sclown: > > [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL > dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" > [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD > dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 > nentries=0 etime=0 > [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH > base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 > filter="(objectClass=securityDomainSessionEntry)" attrs="cn" > [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore > notAfter duration extension subjectName userCertificate version > algorithmId signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z > 1:0 (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=VALID)" attrs="objectClass serialno notBefore > notAfter duration extension subjectName userCertificate version > algorithmId signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z > 1:10 (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno > revInfo notAfter notBefore duration extension subjectName > userCertificate version algorithmId signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z > 0:0 (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 > nentries=0 etime=0 notes=U > [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" > [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND > > Then in the ldap error log I see this, which makes me think there is a > problem with the changelog: > > [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for > changenumber=91314,cn=changelog from entryrdn index (-30993) > [14/Sep/2015:09:30:03 -0700] - Operation error fetching > changenumber=91314,cn=changelog (null), error -30993. > [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error > occured while adding change number 91314, dn = > changenumber=91314,cn=changelog: Operations error. > [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: > operation failure [1] > > After this both kdc and ldap stop responding. In the krb5kdc.log I see > server errors after the user-del command is run. The only way to > resume normal operations is to restart the whole machine. ipactl > restart doesn't work. > > Any help would be highly appreciated! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreas.ladanyi at kit.edu Fri Sep 18 08:26:25 2015 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 18 Sep 2015 10:26:25 +0200 Subject: [Freeipa-users] Custom scripts Message-ID: <55FBCAB1.5060102@kit.edu> Hi, iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive from 2011: https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html Is this in principle also the way in FreeIPA 4.2 ? regards, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From andreas.ladanyi at kit.edu Fri Sep 18 08:36:59 2015 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 18 Sep 2015 10:36:59 +0200 Subject: [Freeipa-users] Add custom script Message-ID: <55FBCD2B.7020104@kit.edu> Hi, iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive from 2011: https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html Is this in principle also the way in FreeIPA 4.2 ? regards, Andreas From jhrozek at redhat.com Fri Sep 18 08:40:56 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Sep 2015 10:40:56 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: <20150917072515.GP14560@hendrix.arn.redhat.com> Message-ID: <20150918084056.GE3162@hendrix.redhat.com> On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > When I use id_provider=ipa I get: > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] Ah, I think they simply don't package the IPA backend. Time to file an RFE with Amazon? :-) > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client > creds: euid[1742200001] egid[1742200001] pid[6295]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client > connected! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > Received client version [0]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > Offered version [0]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > Requested domain [] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > Parsing name [admin][] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > not provided! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > (0x0200): name 'admin' matched without domain, user is admin > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > (0x0400): Requesting SSH user public keys for [admin] from [] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40aba0:1:admin at default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): > Creating request for [default][1][1][name=admin] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): > Entering request [0x40aba0:1:admin at default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > 0xd32ba0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: > 0xd310f0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > Dispatching. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > (0x0400): Requesting SSH user public keys for [admin at default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > not provided! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > "ltdb_callback": 0xd3f3b0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > "ltdb_timeout": 0xd3f470 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event > 0xd3f3b0 "ltdb_callback" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > event 0xd3f470 "ltdb_timeout" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event > 0xd3f3b0 "ltdb_callback" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x40aba0:1:admin at default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > disconnected! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > Terminated client [0xd34eb0][17] > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > name=admin): > > > asq: Unable to register control with rootdse! > # record 1 > dn: name=admin,cn=users,cn=default,cn=sysdb > createTimestamp: 1442509579 > fullName: Administrator > gecos: Administrator > gidNumber: 1742200000 > homeDirectory: /home/admin > loginShell: /bin/bash > name: admin > objectClass: user > uidNumber: 1742200000 > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > originalModifyTimestamp: 20150829000451Z > entryUSN: 1428 > lastUpdate: 1442509579 > dataExpireTimestamp: 1442514979 > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb The communication between the ssh responder and the back end went fine. I think I should have been more careful the first time around, looks like the backend cannot find the attribute in LDAP (some ACI problems, maybe?) >From your earlier logs: (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [admin]. You can run a similar query manually: ldapsearch -x -H ldap://your.ipa.server -b cn=compat,dc=my,dc=domain,dc=com (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) Does that show the sshPublicKey ? From jhrozek at redhat.com Fri Sep 18 08:41:52 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Sep 2015 10:41:52 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> Message-ID: <20150918084152.GF3162@hendrix.redhat.com> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule > > Rule name: ad_linux_admins > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > User Groups: ad_linux_admins <- if I remove this then the rule gets applied Nice catch. Is the group visible after you login and run id? What is the exact IPA server version? From pvoborni at redhat.com Fri Sep 18 08:44:14 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 18 Sep 2015 10:44:14 +0200 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers In-Reply-To: References: <55FAA0DB.80201@redhat.com> <55FAAAF2.9070904@redhat.com> Message-ID: <55FBCEDE.7090906@redhat.com> On 09/17/2015 06:19 PM, Craig White wrote: > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Thursday, September 17, 2015 4:59 AM > To: Martin Kosek; Craig White; freeipa-users at redhat.com; Jan Cholasta > Subject: Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers > > On 09/17/2015 01:15 PM, Martin Kosek wrote: >> On 09/16/2015 06:54 PM, Craig White wrote: >>> Virtually completed the steps listed here... >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >>> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrat >>> ing-ipa-proc.html >>> >>> Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off. >>> >>> ipa-replica-manage del ipa1.stt.local --force Connection to >>> 'ipa1.stt.local' failed: >>> Forcing removal of ipa1.stt.local >>> Skipping calculation to determine if one or more masters would be orphaned. >>> No RUV records found. >>> >>> $ ipa-replica-manage del ipa1.stt.local --force -c Connection to >>> 'ipa1.stt.local' failed: >>> Forcing removal of ipa1.stt.local >>> Skipping calculation to determine if one or more masters would be orphaned. >>> No RUV records found. >>> >>> $ ipa-replica-manage list >>> ipa1.stt.local: master >>> ipa3.stt.local: master >>> ipa4.stt.local: master >>> >>> Obviously connection to ipa1 failed because in previous step, I had >>> to shut it down on ipa1 (ipactl stop) >>> >>> What's the trick to get rid of an old, discontinued 'master' ? >>> >>> Craig White >> >> Quickly looking at ipa-replica-manage code, the del command will end >> if there is no RUV. So it seems that in some of your previous RUV was >> deleted, but server record was not. >> >> What does >> # ipa-replica-manage list-ruv >> show? >> >> Petr or Honza, is the only option here to >> 1) Use ldapdelete to delete the master record in cn=masters as a >> hotfix for this issue > > It will fix the replica manage output but replica cleanup does more things than just a removal of master entry. It also: > deletes services of the host This part could be done in web ui - check for /ipa1.stt.local at STT.LOCAL where is usually DNS, HTTP and ldap > removes s4u2proxy configuration > removes some ACIs > > More info: > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/replication.py#n1185 > > >> 2) File a ticket to avoid get_ruv function exit the whole "del" >> command when --force is in play to fix this long-term > > https://fedorahosted.org/freeipa/ticket/5307 > ---- > OK - I think I see the LDAP entries and just wanting confirmation before I do great harm :-) > > Dn: cn=ipa1.stt.local,cn=masters,cn=ipa,cn=etc,dc=stt,dc=local yes If by ipa1_ETC you mean (assuming that your realm is STT.LOCAL): > Dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=stt,dc=local - attribute memberPrincipal ipa1_ETC HTTP/ipa1.stt.local at STT.LOCAL > Dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=stt,dc=local - attribute memberPrincipal ipa1_ETC ldap/ipa1.stt.local at STT.LOCAL > > The one DN and the 2 attributes are what I should delete to get rid of this dead master? > > Rummaging around, I do see other hanging chads (pardon the election season humor)... > > DN: dnaHostname ipa1.stt.local + 0,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently 'dnaPortNum 0 and dnaSecurePortNum 636) > DN: dnaHostname ipa1.stt.local + 389,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently 'dnaPortNum 389 and dnaSecurePortNum 636) > > And if were to delete the first one, there wouldn't be any entries pointing to port '0' but that just looks strange to me anyway. If I delete both the above, then all that is left is just the 2 new RHEL 7 IPA/iDM servers on ports 389/636 which seems right to me. Check if the DNA range configuration for the deleted master does contain dna RemainingValues other than 0. In that case you might want to check DNA configuration of other masters to be sure that other master can issue posix numbers. DNA ranges could be also configured using ipa-replica-manage. > > If there are actual ACI's to edit, I am afraid I don't have a tool to do that very easily. Could be seen e.g., when browsing LDAP structure in Apache Directory studio as Directory Manager. It's 'aci' attribute of entry cn=masters,cn=ipa,cn=etc,$SUFFIX There should be two which contain the deleted replica hostname. One has name "Read IPA Masters" the other "Modify IPA Masters". > > Thanks > > Craig > -- Petr Vobornik From andreas.ladanyi at kit.edu Fri Sep 18 08:47:00 2015 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 18 Sep 2015 10:47:00 +0200 Subject: [Freeipa-users] Add custom script Message-ID: <55FBCF84.8000106@kit.edu> Hi, Sorry, my last post was with wrong link. iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive: http://freeipa-users.redhat.narkive.com/cgjMKenp/user-custom-script Is this in principle also the way in FreeIPA 4.2 ? regards, Andreas From karl.forner at gmail.com Fri Sep 18 13:13:43 2015 From: karl.forner at gmail.com (Karl Forner) Date: Fri, 18 Sep 2015 15:13:43 +0200 Subject: [Freeipa-users] ipaSshPubKey and ldapsearch Message-ID: Hello, I'm trying to integrate the freeIPA SSH public key with gitlab Enterprise Edition. They have a configuration setting **ldap_sync_ssh_keys** that I tried to set to 'ipaSshPubKey' but it does not work. While trying to understand the problem, I realized that I don't even know how to retrieve this attribute using ldapsearch. Could you help with the ldapsearch command-line ? Could it be a permission problem ? Thanks, Karl From Andy.Thompson at e-tcc.com Fri Sep 18 13:56:33 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Fri, 18 Sep 2015 13:56:33 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150918084152.GF3162@hendrix.redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> Message-ID: <3472606525ee47c4b4a9f739c746f8f6@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > Sent: Friday, September 18, 2015 4:42 AM > To: Andy Thompson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > I've narrowed it down a bit doing some testing. The sudo rules work when > I remove the user group restriction from them. My sudo rules all have my ad > groups in the rule > > > > Rule name: ad_linux_admins > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > User Groups: ad_linux_admins <- if I remove this then the rule gets > applied > > Nice catch. Is the group visible after you login and run id? Ya the groups show up for the users using id [athompson at mhbenp.local@mdhixuatsmtp01 ~]$ id uid=1506401106(athompson at mhbenp.local) gid=1506401106(athompson at mhbenp.local) groups=1506401106(athompson at mhbenp.local),1249000010(ad_linux_admins),1506400512(domain admins at mhbenp.local),1506400513(domain users at mhbenp.local),1506401124(admin vpn users at mhbenp.local),1506401239(linux admins at mhbenp.local) > > What is the exact IPA server version? Installed Packages ipa-server.x86_64 4.1.0-18.el7_1.4 thanks -andy From karl.forner at gmail.com Fri Sep 18 14:45:28 2015 From: karl.forner at gmail.com (Karl Forner) Date: Fri, 18 Sep 2015 16:45:28 +0200 Subject: [Freeipa-users] ipaSshPubKey and ldapsearch In-Reply-To: References: Message-ID: Sorry, my mistake. The following works fine: % ldapsearch -x -D 'uid=ldap_gitlab,cn=users,cn=accounts,dc=quartzbio,dc=com' -W uid=karl cn ipaSshPubKey Karl On Fri, Sep 18, 2015 at 3:13 PM, Karl Forner wrote: > Hello, > > I'm trying to integrate the freeIPA SSH public key with gitlab > Enterprise Edition. > > They have a configuration setting **ldap_sync_ssh_keys** that I tried > to set to 'ipaSshPubKey' > but it does not work. > > While trying to understand the problem, I realized that I don't even > know how to retrieve this attribute using ldapsearch. > > Could you help with the ldapsearch command-line ? > > Could it be a permission problem ? > > Thanks, > Karl From APtashnik at cccis.com Fri Sep 18 14:45:34 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Fri, 18 Sep 2015 14:45:34 +0000 Subject: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4 In-Reply-To: <55FADD10.7030107@redhat.com> References: <20150916134332.GQ6168@redhat.com> <68F12368-A7D8-463A-BC34-BA1EB08C02CB@cccis.com> <7F7367ED-0EB6-4F41-BC27-278528768E64@cccis.com> <55FADD10.7030107@redhat.com> Message-ID: <88267017-9D11-4E89-A07D-A6706231B0B8@cccis.com> I think I got it working. Solution in my case was to run following on client nodes: yum install sssd-1.12.4-47.el6.x86_64 And on IPA server for each Forward and Reverse lookup zone I ran: ipa dnszone-mod XXXXXXXXX.COM. --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa dnszone-mod 44.28.10.in-addr.arpa. --allow-sync-ptr=TRUE --dynamic-update=TRUE Ultimately I think bringing all nodes to SSSD 1.12.4 version solved the problem. Thank you, IPA team, for your support! Regards, Andrey Ptashnik On 9/17/15, 10:32 AM, "Rob Crittenden" wrote: >Andrey Ptashnik wrote: >> Any ideas on that? > >/var/log/ipaclient-install.log probably has more details on the DNS >update failure. > >rob > >> >> Regards, >> >> Andrey Ptashnik | Network Architect >> CCC Information Services Inc. >> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 >> Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptashnik at cccis.com >> >> >> >> >> >> >> >> On 9/16/15, 11:30 AM, "freeipa-users-bounces at redhat.com on behalf of Andrey Ptashnik" wrote: >> >>> Alexander, >>> >>> Thank you for your feedback! >>> >>> In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. >>> >>> [root at ptr-test-6 ~]# yum list installed | grep ipa >>> ipa-client.x86_64 3.0.0-47.el6 >>> ipa-python.x86_64 3.0.0-47.el6 >>> >>> >>> [root at ptr-test-6 ~]# yum list installed | grep sssd >>> python-sssdconfig.noarch 1.12.4-47.el6 >>> sssd.x86_64 1.12.4-47.el6 >>> sssd-ad.x86_64 1.12.4-47.el6 >>> sssd-client.x86_64 1.12.4-47.el6 >>> sssd-common.x86_64 1.12.4-47.el6 >>> sssd-common-pac.x86_64 1.12.4-47.el6 >>> sssd-ipa.x86_64 1.12.4-47.el6 >>> sssd-krb5.x86_64 1.12.4-47.el6 >>> sssd-krb5-common.x86_64 1.12.4-47.el6 >>> sssd-ldap.x86_64 1.12.4-47.el6 >>> sssd-proxy.x86_64 1.12.4-47.el6 >>> [root at ptr-test-6 ~]# >>> >>> >>> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: >>> >>> # ipa-client-install --enable-dns-updates --ssh-trust-dns ?mkhomedir >>> >>> DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. >>> >>> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: >>> >>> Synchronizing time with KDC... >>> Enrolled in IPA realm XXXXXXXXX.COM >>> Attempting to get host TGT... >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM >>> trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml >>> Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >>> Failed to update DNS records. >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >>> Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >>> SSSD enabled >>> Configuring XXXXXXXXX.COM as NIS domain >>> Configured /etc/openldap/ldap.conf >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Client configuration complete. >>> >>> >>> Regards, >>> >>> Andrey Ptashnik >>> >>> >>> >>> >>> >>> >>> On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: >>> >>>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>>> Dear IPA Team, >>>>> >>>>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>>>> with IPA server 4.1 and on the other hand we still have older machines >>>>> with Red Hat 5 and 6. I noticed that repositories associated with >>>>> version 6 have older version of the client software ? v.3.0. Therefore >>>>> some functionality is missing from client package 3 vs 4, like >>>>> automatic update of both forward and reverse DNS records. >>>>> >>>>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>>> much breaking dependencies in OS? >>>> You don't need to install IPA python packages on older machines. These >>>> packages are mostly for administration purposes. >>>> >>>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>>> version of SSSD is on par with RHEL 7 version in the recent updates. >>>> Additionally, MIT Kerberos backports were done in the recent updates to >>>> allow OTP functionality in RHEL6 as well. So most of features are there >>>> already, client-wise. >>>> >>>> RHEL5 version does not have such updates and you can implement most of >>>> the support with existing SSSD and output of 'ipa-advise' tool on IPA >>>> masters. nsupdate integration would probably need to be done >>>> differently. >>>> >>>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>>> much sense. >>>> >>>> -- >>>> / Alexander Bokovoy >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > From gustavo.mateus at gmail.com Fri Sep 18 17:17:46 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Fri, 18 Sep 2015 10:17:46 -0700 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150918084056.GE3162@hendrix.redhat.com> References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> Message-ID: That only shows this: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) # requesting: ALL # # admin, users, compat, my.domain.com dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com cn: Administrator uidNumber: 1742200000 objectClass: posixAccount objectClass: top gidNumber: 1742200000 gecos: Administrator loginShell: /bin/bash homeDirectory: /home/admin uid: admin # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On Fri, Sep 18, 2015 at 1:40 AM, Jakub Hrozek wrote: > On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > > When I use id_provider=ipa I get: > > > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] > > Ah, I think they simply don't package the IPA backend. > > Time to file an RFE with Amazon? :-) > > > > > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client > > creds: euid[1742200001] egid[1742200001] pid[6295]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): > Client > > connected! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > Received client version [0]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > Offered version [0]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > > Requested domain [] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > > Parsing name [admin][] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > > not provided! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > > (0x0200): name 'admin' matched without domain, user is admin > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > > (0x0400): Requesting SSH user public keys for [admin] from [] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > > Issuing request for [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): > > Creating request for [default][1][1][name=admin] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): > 0xd32ba0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] > (0x0400): > > Entering request [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > > 0xd32ba0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus > conn: > > 0xd310f0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > > Dispatching. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > > reply from Data Provider - DP error code: 0 errno: 0 error message: > Success > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > > (0x0400): Requesting SSH user public keys for [admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > > not provided! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > > "ltdb_callback": 0xd3f3b0 > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > > "ltdb_timeout": 0xd3f470 > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer > event > > 0xd3f3b0 "ltdb_callback" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > > event 0xd3f470 "ltdb_timeout" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event > > 0xd3f3b0 "ltdb_callback" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): > > Deleting request: [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > > disconnected! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > > Terminated client [0xd34eb0][17] > > > > > > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > > name=admin): > > > > > > asq: Unable to register control with rootdse! > > # record 1 > > dn: name=admin,cn=users,cn=default,cn=sysdb > > createTimestamp: 1442509579 > > fullName: Administrator > > gecos: Administrator > > gidNumber: 1742200000 > > homeDirectory: /home/admin > > loginShell: /bin/bash > > name: admin > > objectClass: user > > uidNumber: 1742200000 > > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > originalModifyTimestamp: 20150829000451Z > > entryUSN: 1428 > > lastUpdate: 1442509579 > > dataExpireTimestamp: 1442514979 > > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb > > The communication between the ssh responder and the back end went fine. > I think I should have been more careful the first time around, looks > like the backend cannot find the attribute in LDAP (some ACI problems, > maybe?) > > From your earlier logs: > (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] > (0x2000): sshPublicKey is not available for [admin]. > > You can run a similar query manually: > ldapsearch -x -H ldap://your.ipa.server -b > cn=compat,dc=my,dc=domain,dc=com > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > Does that show the sshPublicKey ? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hectorl at alumni.usc.edu Fri Sep 18 19:20:39 2015 From: hectorl at alumni.usc.edu (HECTOR LOPEZ) Date: Fri, 18 Sep 2015 12:20:39 -0700 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: <55FBC2AB.7060302@redhat.com> References: <55FBC2AB.7060302@redhat.com> Message-ID: Ludwig Krispenz, This is the output of gstack on ns-slapd (pstack on rhel), also killing the ns-slapd proces gave this error "ipa: ERROR: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': " After that I could use ipactl restart and the command runs successfully. Thank you for helping me. Again, here is the pstack output of ns-slapd: -sh-4.2$ sudo gstack 2197 Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007f3adc11e4a7 in deadlock_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007f3adc122576 in checkpoint_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007f3adc11e71f in trickle_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007f3adc119437 in perf_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae996d438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007f3ae058164e in cos_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libcos-plugin.so #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 #1 0x00007f3addf0247c in ipa_cldap_worker () from /usr/lib64/dirsrv/plugins/libipa_cldap.so #2 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae996d438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae996d438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae996d438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007f3ae9e21a93 in housecleaning () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007f3ae9914188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so #11 0x00007f3adc12d180 in idl_new_fetch () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #12 0x00007f3adc13b5e6 in index_read_ext_allids () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007f3adc125dd4 in keys2idl () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007f3adc126533 in ava_candidates.isra.0 () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #15 0x00007f3adc126b22 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #16 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #17 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #18 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #19 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #21 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #22 0x00007f3adc161fdc in subtree_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #23 0x00007f3adc1635f7 in ldbm_back_search () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #24 0x00007f3ae993fd49 in op_shared_search () from /usr/lib64/dirsrv/libslapd.so.0 #25 0x00007f3ae9e2b07e in do_search () #26 0x00007f3ae9e1a405 in connection_threadmain () #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so #11 0x00007f3adc12d180 in idl_new_fetch () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #12 0x00007f3adc13b5e6 in index_read_ext_allids () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007f3adc125dd4 in keys2idl () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007f3adc126533 in ava_candidates.isra.0 () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #15 0x00007f3adc126b22 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #16 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #17 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #18 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #19 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #21 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #22 0x00007f3adc161fdc in subtree_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #23 0x00007f3adc1635f7 in ldbm_back_search () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #24 0x00007f3ae993fd49 in op_shared_search () from /usr/lib64/dirsrv/libslapd.so.0 #25 0x00007f3ae9e2b07e in do_search () #26 0x00007f3ae9e1a405 in connection_threadmain () #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so #11 0x00007f3adc12d180 in idl_new_fetch () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #12 0x00007f3adc13b5e6 in index_read_ext_allids () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007f3adc125dd4 in keys2idl () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007f3adc126533 in ava_candidates.isra.0 () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #15 0x00007f3adc126b22 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #16 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #17 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #18 0x00007f3adc161fdc in subtree_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #19 0x00007f3adc1635f7 in ldbm_back_search () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007f3ae993fd49 in op_shared_search () from /usr/lib64/dirsrv/libslapd.so.0 #21 0x00007f3ae99501de in search_internal_callback_pb () from /usr/lib64/dirsrv/libslapd.so.0 #22 0x00007f3ae9950478 in search_internal_pb () from /usr/lib64/dirsrv/libslapd.so.0 #23 0x00007f3ae9e291fb in ids_sasl_canon_user () #24 0x00007f3ae7afd93b in _sasl_canon_user () from /lib64/libsasl2.so.3 #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from /lib64/libsasl2.so.3 #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 () from /usr/lib64/sasl2/libcrammd5.so #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from /usr/lib64/sasl2/libcrammd5.so #28 0x00007f3ae7b09b88 in sasl_server_step () from /lib64/libsasl2.so.3 #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () #30 0x00007f3ae9e13b22 in do_bind () #31 0x00007f3ae9e1a43f in connection_threadmain () #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #33 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so #11 0x00007f3adc12d180 in idl_new_fetch () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #12 0x00007f3adc13b5e6 in index_read_ext_allids () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007f3adc125dd4 in keys2idl () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007f3adc126533 in ava_candidates.isra.0 () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #15 0x00007f3adc126b22 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #16 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #17 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #18 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #19 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007f3adc127b96 in list_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #21 0x00007f3adc126a90 in filter_candidates_ext () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #22 0x00007f3adc161fdc in subtree_candidates () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #23 0x00007f3adc1635f7 in ldbm_back_search () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #24 0x00007f3ae993fd49 in op_shared_search () from /usr/lib64/dirsrv/libslapd.so.0 #25 0x00007f3ae9e2b07e in do_search () #26 0x00007f3ae9e1a405 in connection_threadmain () #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007f3ae237d843 in __db_get () from /lib64/libdb-5.3.so #11 0x00007f3ae2381123 in __db_get_pp () from /lib64/libdb-5.3.so #12 0x00007f3adc12949b in id2entry () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007f3adc14f7dd in ldbm_back_delete () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007f3ae9900190 in op_shared_delete () from /usr/lib64/dirsrv/libslapd.so.0 #15 0x00007f3ae9900342 in delete_internal_pb () from /usr/lib64/dirsrv/libslapd.so.0 #16 0x00007f3adba44739 in mep_del_post_op () from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so #17 0x00007f3ae994c280 in plugin_call_func () from /usr/lib64/dirsrv/libslapd.so.0 #18 0x00007f3ae994c4d8 in plugin_call_plugins () from /usr/lib64/dirsrv/libslapd.so.0 #19 0x00007f3adc14e42e in ldbm_back_delete () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007f3ae9900190 in op_shared_delete () from /usr/lib64/dirsrv/libslapd.so.0 #21 0x00007f3ae9900453 in do_delete () from /usr/lib64/dirsrv/libslapd.so.0 #22 0x00007f3ae9e1a37e in connection_threadmain () #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #24 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e1865e in connection_wait_for_new_work () #3 0x00007f3ae9e1988d in connection_threadmain () #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007f3ae9e1b2c5 in time_thread () #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007f3ae0376374 in sync_send_results () from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007f3ae9e25c85 in ps_send_results () #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): #0 0x00007f3ae76e3f7d in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x00007f3ae76dfd68 in _L_lock_975 () from /lib64/libpthread.so.0 #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from /lib64/libpthread.so.0 #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so #4 0x00007f3ae9e1def6 in slapd_daemon () #5 0x00007f3ae9e1117c in main () -sh-4.2$ On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz wrote: > > On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: > > This is rhel 7.1 with ipa version 4.1.0 > > user-show shows the user. However, if the user contains > ipaNTSecurityIdentifier: attribute, user-del hangs with no response. > > Meanwhile, the KDC and 389ds stop working. The only way to recover > functionality is to reboot the machine. ipactl restart does nothing. > > If it hangs again, could you get a pstack of the slapd process ? > If you then kill slapd, does ipactl restart work ? > > > In the ldap access log I see this when trying to delete user sclown: > > [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL > dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" > [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD > dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 > nentries=0 etime=0 > [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH > base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 > filter="(objectClass=securityDomainSessionEntry)" attrs="cn" > [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore > notAfter duration extension subjectName userCertificate version algorithmId > signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z 1:0 > (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 > nentries=0 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter > duration extension subjectName userCertificate version algorithmId > signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z 1:10 > (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo > notAfter notBefore duration extension subjectName userCertificate version > algorithmId signingAlgorithmId publicKeyData" > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z 0:0 > (0) > [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 > nentries=0 etime=0 notes=U > [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" > [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND > > Then in the ldap error log I see this, which makes me think there is a > problem with the changelog: > > [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for > changenumber=91314,cn=changelog from entryrdn index (-30993) > [14/Sep/2015:09:30:03 -0700] - Operation error fetching > changenumber=91314,cn=changelog (null), error -30993. > [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error occured > while adding change number 91314, dn = changenumber=91314,cn=changelog: > Operations error. > [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: operation > failure [1] > > After this both kdc and ldap stop responding. In the krb5kdc.log I see > server errors after the user-del command is run. The only way to resume > normal operations is to restart the whole machine. ipactl restart doesn't > work. > > Any help would be highly appreciated! > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Sat Sep 19 11:36:59 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 19 Sep 2015 13:36:59 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> Message-ID: <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> > On 18 Sep 2015, at 19:17, Gustavo Mateus wrote: > > That only shows this: > > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > # requesting: ALL > # > > # admin, users, compat, my.domain.com > dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > cn: Administrator > uidNumber: 1742200000 > objectClass: posixAccount > objectClass: top > gidNumber: 1742200000 > gecos: Administrator > loginShell: /bin/bash > homeDirectory: /home/admin > uid: admin > Since sshPublicKey is not listed here, the ACIs still prevent you from reading the attribute. You need to either bind as a user who has permissions to read it or make the public key world-readable (I don't think making it world-readable would be an issue since it's a pubkey) > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > On Fri, Sep 18, 2015 at 1:40 AM, Jakub Hrozek wrote: > On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > > When I use id_provider=ipa I get: > > > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] > > Ah, I think they simply don't package the IPA backend. > > Time to file an RFE with Amazon? :-) > > > > > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client > > creds: euid[1742200001] egid[1742200001] pid[6295]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client > > connected! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > Received client version [0]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > Offered version [0]. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > > Requested domain [] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > > Parsing name [admin][] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > > not provided! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > > (0x0200): name 'admin' matched without domain, user is admin > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > > (0x0400): Requesting SSH user public keys for [admin] from [] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > > Issuing request for [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): > > Creating request for [default][1][1][name=admin] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): > > Entering request [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > > 0xd32ba0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: > > 0xd310f0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > > Dispatching. > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > > (0x0400): Requesting SSH user public keys for [admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > > not provided! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > > "ltdb_callback": 0xd3f3b0 > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > > "ltdb_timeout": 0xd3f470 > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event > > 0xd3f3b0 "ltdb_callback" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > > event 0xd3f470 "ltdb_timeout" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event > > 0xd3f3b0 "ltdb_callback" > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): > > Deleting request: [0x40aba0:1:admin at default] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > > timer re-set for client [0xd34eb0][17] > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > > disconnected! > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > > Terminated client [0xd34eb0][17] > > > > > > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > > name=admin): > > > > > > asq: Unable to register control with rootdse! > > # record 1 > > dn: name=admin,cn=users,cn=default,cn=sysdb > > createTimestamp: 1442509579 > > fullName: Administrator > > gecos: Administrator > > gidNumber: 1742200000 > > homeDirectory: /home/admin > > loginShell: /bin/bash > > name: admin > > objectClass: user > > uidNumber: 1742200000 > > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > originalModifyTimestamp: 20150829000451Z > > entryUSN: 1428 > > lastUpdate: 1442509579 > > dataExpireTimestamp: 1442514979 > > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb > > The communication between the ssh responder and the back end went fine. > I think I should have been more careful the first time around, looks > like the backend cannot find the attribute in LDAP (some ACI problems, > maybe?) > > From your earlier logs: > (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] > (0x2000): sshPublicKey is not available for [admin]. > > You can run a similar query manually: > ldapsearch -x -H ldap://your.ipa.server -b cn=compat,dc=my,dc=domain,dc=com (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > Does that show the sshPublicKey ? > From gustavo.mateus at gmail.com Sat Sep 19 13:32:40 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Sat, 19 Sep 2015 06:32:40 -0700 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> Message-ID: I've already included that in the IPA permissions. Anonymous access to ipaSshPubKey is marked as public already. Read and Search is allowed. On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek wrote: > > > On 18 Sep 2015, at 19:17, Gustavo Mateus > wrote: > > > > That only shows this: > > > > # extended LDIF > > # > > # LDAPv3 > > # base with scope subtree > > # filter: > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > # requesting: ALL > > # > > > > # admin, users, compat, my.domain.com > > dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > cn: Administrator > > uidNumber: 1742200000 > > objectClass: posixAccount > > objectClass: top > > gidNumber: 1742200000 > > gecos: Administrator > > loginShell: /bin/bash > > homeDirectory: /home/admin > > uid: admin > > > > Since sshPublicKey is not listed here, the ACIs still prevent you from > reading the attribute. You need to either bind as a user who has > permissions to read it or make the public key world-readable (I don't think > making it world-readable would be an issue since it's a pubkey) > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > On Fri, Sep 18, 2015 at 1:40 AM, Jakub Hrozek > wrote: > > On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > > > When I use id_provider=ipa I get: > > > > > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] > > > > Ah, I think they simply don't package the IPA backend. > > > > Time to file an RFE with Amazon? :-) > > > > > > > > > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): > Client > > > creds: euid[1742200001] egid[1742200001] pid[6295]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): > Client > > > connected! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > > Received client version [0]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > > Offered version [0]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] > (0x0400): > > > Requested domain [] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] > (0x0400): > > > Parsing name [admin][] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): > Domain > > > not provided! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > > > (0x0200): name 'admin' matched without domain, user is admin > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > > > (0x0400): Requesting SSH user public keys for [admin] from [] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > > > Issuing request for [0x40aba0:1:admin at default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] > (0x0400): > > > Creating request for [default][1][1][name=admin] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): > 0xd32ba0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] > (0x0400): > > > Entering request [0x40aba0:1:admin at default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > > > 0xd32ba0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus > conn: > > > 0xd310f0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > > > Dispatching. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > > > reply from Data Provider - DP error code: 0 errno: 0 error message: > Success > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > > > (0x0400): Requesting SSH user public keys for [admin at default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): > Domain > > > not provided! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed > event > > > "ltdb_callback": 0xd3f3b0 > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed > event > > > "ltdb_timeout": 0xd3f470 > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer > event > > > 0xd3f3b0 "ltdb_callback" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > > > event 0xd3f470 "ltdb_timeout" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer > event > > > 0xd3f3b0 "ltdb_callback" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] > (0x0400): > > > Deleting request: [0x40aba0:1:admin at default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > > > disconnected! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > > > Terminated client [0xd34eb0][17] > > > > > > > > > > > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > > > name=admin): > > > > > > > > > asq: Unable to register control with rootdse! > > > # record 1 > > > dn: name=admin,cn=users,cn=default,cn=sysdb > > > createTimestamp: 1442509579 > > > fullName: Administrator > > > gecos: Administrator > > > gidNumber: 1742200000 > > > homeDirectory: /home/admin > > > loginShell: /bin/bash > > > name: admin > > > objectClass: user > > > uidNumber: 1742200000 > > > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > > originalModifyTimestamp: 20150829000451Z > > > entryUSN: 1428 > > > lastUpdate: 1442509579 > > > dataExpireTimestamp: 1442514979 > > > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb > > > > The communication between the ssh responder and the back end went fine. > > I think I should have been more careful the first time around, looks > > like the backend cannot find the attribute in LDAP (some ACI problems, > > maybe?) > > > > From your earlier logs: > > (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] > > (0x2000): sshPublicKey is not available for [admin]. > > > > You can run a similar query manually: > > ldapsearch -x -H ldap://your.ipa.server -b > cn=compat,dc=my,dc=domain,dc=com > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > > > Does that show the sshPublicKey ? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sat Sep 19 16:47:55 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 19 Sep 2015 19:47:55 +0300 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> Message-ID: <20150919164755.GA8415@redhat.com> On Sat, 19 Sep 2015, Jakub Hrozek wrote: > >> On 18 Sep 2015, at 19:17, Gustavo Mateus wrote: >> >> That only shows this: >> >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) >> # requesting: ALL >> # >> >> # admin, users, compat, my.domain.com >> dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com >> cn: Administrator >> uidNumber: 1742200000 >> objectClass: posixAccount >> objectClass: top >> gidNumber: 1742200000 >> gecos: Administrator >> loginShell: /bin/bash >> homeDirectory: /home/admin >> uid: admin >> > >Since sshPublicKey is not listed here, the ACIs still prevent you from >reading the attribute. You need to either bind as a user who has >permissions to read it or make the public key world-readable (I don't >think making it world-readable would be an issue since it's a pubkey) Compat tree doesn't have ipaSSHPublicKey. Why are you pointing to the compat tree instead of the normal one? You should only use compat tree for two reasons: - your POSIX client does not understand RFC2307bis - your POSIX client does not use recent SSSD and you want to have trust to Active Directory working. For the rest of cases you should really point your POSIX clients to the main subtree, not the compat one. -- / Alexander Bokovoy From abokovoy at redhat.com Sat Sep 19 16:49:52 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 19 Sep 2015 19:49:52 +0300 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: Message-ID: <20150919164952.GB8415@redhat.com> On Wed, 16 Sep 2015, Gustavo Mateus wrote: >Hi, > >I have an IPA server running on redhat and I'm trying find the best way to >get my amazon linux instances to use it for authentication, ssh key >management and sudo rules. > >I'm now trying to use SSSD to achieve those goals. Authentication is >working but I'm having problems to get the user public ssh keys using >/usr/bin/sss_ssh_authorizedkeys. > > >This is my sssd.conf: > >[sssd] >services = nss, pam, ssh, sudo >config_file_version = 2 >domains = default >re_expression = (?P.+) > >[domain/default] >debug_level = 8 >cache_credentials = True >id_provider = ldap >auth_provider = ldap >ldap_uri = ldap://ipa.my.domain.com >ldap_search_base = cn=compat,dc=my,dc=domain,dc=com >ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt >ldap_user_ssh_public_key = ipaSshPubKey > > >The original configuration was done using ipa-advise ipa-advise >config-redhat-sssd-before-1-9. I just hanged the services parameter to >include "ssh, sudo" and "ldap_user_ssh_public_key" > Change your ldap_search_base to 'cn=accounts,dc=my,dc=domain,dc=com' ipa-advise recipes are templates, mostly to allow old non-RFC2307bis clients to be configured. You have SSSD, it supports RFC2307bis. -- / Alexander Bokovoy From jhrozek at redhat.com Sun Sep 20 15:51:11 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 20 Sep 2015 17:51:11 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> Message-ID: <20150920155111.GB4122@hendrix.lan> On Sat, Sep 19, 2015 at 06:32:40AM -0700, Gustavo Mateus wrote: > I've already included that in the IPA permissions. > Anonymous access to ipaSshPubKey is marked as public already. Read and > Search is allowed. as your ldapsearch proved, it's still not working. If you search the server logs, you might see what exact attributes were requested and whether they were permitted. (Requesting just the single attribute might make the server logs a bit more readable) From jhrozek at redhat.com Sun Sep 20 15:51:39 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 20 Sep 2015 17:51:39 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150919164755.GA8415@redhat.com> References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> <20150919164755.GA8415@redhat.com> Message-ID: <20150920155139.GC4122@hendrix.lan> On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus wrote: > >> > >>That only shows this: > >> > >># extended LDIF > >># > >># LDAPv3 > >># base with scope subtree > >># filter: (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > >># requesting: ALL > >># > >> > >># admin, users, compat, my.domain.com > >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > >>cn: Administrator > >>uidNumber: 1742200000 > >>objectClass: posixAccount > >>objectClass: top > >>gidNumber: 1742200000 > >>gecos: Administrator > >>loginShell: /bin/bash > >>homeDirectory: /home/admin > >>uid: admin > >> > > > >Since sshPublicKey is not listed here, the ACIs still prevent you from > >reading the attribute. You need to either bind as a user who has > >permissions to read it or make the public key world-readable (I don't > >think making it world-readable would be an issue since it's a pubkey) > Compat tree doesn't have ipaSSHPublicKey. Oops, good catch. I totally missed the search base is compat. > > Why are you pointing to the compat tree instead of the normal one? > You should only use compat tree for two reasons: > - your POSIX client does not understand RFC2307bis > - your POSIX client does not use recent SSSD and you want to have trust to > Active Directory working. > > For the rest of cases you should really point your POSIX clients to the > main subtree, not the compat one. > -- > / Alexander Bokovoy From janellenicole80 at gmail.com Sun Sep 20 21:40:24 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 20 Sep 2015 14:40:24 -0700 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <20150914064630.GP6168@redhat.com> References: <20150914064630.GP6168@redhat.com> Message-ID: <55FF27C8.3020005@gmail.com> On 9/13/15 11:46 PM, Alexander Bokovoy wrote: > On Sun, 13 Sep 2015, Janelle wrote: >> Hello, >> >> I read something recently that if ip v6 is disable on a server this >> hurts performance in some way? Is there more info on this or did I >> misread it? > Do not disable IPv6 stack on your machines. By disabling IPv6 you are > not doing good. On contrary, many contemporary software projects are > using IPv6-enabled network calls by default because both IPv6 and IPv4 > share the same name space on the machine so you only need to listen on a > IPv6 port to accept both IPv4 and IPv6. This is a recommended approach > for networking applications' developers for years already. > > Note that this means only that support for IPv6 stack is enabled in the > kernel. You are not required to go with IPv6 networking addresses, this > is not really needed if you don't want to. But allowing applications to > be IPv6 aware is required. > > FreeIPA has several components which are programmed in such way that > they expect IPv6 stack to be enabled for reasons outlined above. If you > disable IPv6 stack, FreeIPA will partially malfunction and will not > really be in a supported state, especially when we are talking about > trusts to Active Directory (and, in future, IPA to IPA trust). > Now it makes me wonder if my problems with replicas and RUVs were caused by v6 being disabled. Time for some investigation. ~J From tbabej at redhat.com Mon Sep 21 08:09:06 2015 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 21 Sep 2015 10:09:06 +0200 Subject: [Freeipa-users] Partial replica In-Reply-To: <55F835B8.9030206@mmfg.it> References: <55F835B8.9030206@mmfg.it> Message-ID: <55FFBB22.2000109@redhat.com> On 09/15/2015 05:14 PM, Nicola Canepa wrote: > Hello list. > I'm trying to make a test deploy of FreeIPA, and I was wondering if it > is possible to authenticate remote sites via LDAP by havong a partial > replica based on saome filter (maybe a group, an attribute or similar). > > Sorry if this is a silly question, but I am trying to explore the > possibilities that I could have to slowly replace local authentications > spread in various sites by having a central store (backed by FreeIPA) > and many partial replicas which would contain what now I have in RADIUS > or other authentication sources. > > Thank you for any advice or pointer you can give to me. > > Nicola > Hello! Short answer is that FreeIPA does not support filter-based partial replication. AFAIK, 389 can do fractional replication, which can exclude certain attributes from being replicated (and hence lower the replication traffic), but I gather that will not help in your use case. See nsds5replicatedattributelist and nsds5replicatedattributelisttotal attributes of the replication agreement, if interested. Tomas From Andy.Thompson at e-tcc.com Mon Sep 21 14:22:54 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 21 Sep 2015 14:22:54 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150918084152.GF3162@hendrix.redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> Message-ID: <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > I've narrowed it down a bit doing some testing. The sudo rules work when > I remove the user group restriction from them. My sudo rules all have my ad > groups in the rule > > > > Rule name: ad_linux_admins > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > User Groups: ad_linux_admins <- if I remove this then the rule gets > applied > > Nice catch. Is the group visible after you login and run id? > > What is the exact IPA server version? Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied. I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11 %@ "sudo commands" That rule was not applied. If I remove the then the rule got applied. On a server running sssd 1.12 that rule works, but does not work if I remove the . And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear. They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment. So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now -andy From gustavo.mateus at gmail.com Mon Sep 21 17:03:24 2015 From: gustavo.mateus at gmail.com (Gustavo Mateus) Date: Mon, 21 Sep 2015 10:03:24 -0700 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150920155139.GC4122@hendrix.lan> References: <20150917072515.GP14560@hendrix.arn.redhat.com> <20150918084056.GE3162@hendrix.redhat.com> <45FEC81E-1EC5-489F-A481-7FA8A5371F32@redhat.com> <20150919164755.GA8415@redhat.com> <20150920155139.GC4122@hendrix.lan> Message-ID: I used compat because that is what ipa-advise provided me. I did not pay attention to that part. And yes, that did the trick :) Thank you very much Gustavo On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek wrote: > On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus > wrote: > > >> > > >>That only shows this: > > >> > > >># extended LDIF > > >># > > >># LDAPv3 > > >># base with scope subtree > > >># filter: > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > >># requesting: ALL > > >># > > >> > > >># admin, users, compat, my.domain.com > > >>dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > >>cn: Administrator > > >>uidNumber: 1742200000 > > >>objectClass: posixAccount > > >>objectClass: top > > >>gidNumber: 1742200000 > > >>gecos: Administrator > > >>loginShell: /bin/bash > > >>homeDirectory: /home/admin > > >>uid: admin > > >> > > > > > >Since sshPublicKey is not listed here, the ACIs still prevent you from > > >reading the attribute. You need to either bind as a user who has > > >permissions to read it or make the public key world-readable (I don't > > >think making it world-readable would be an issue since it's a pubkey) > > Compat tree doesn't have ipaSSHPublicKey. > > Oops, good catch. I totally missed the search base is compat. > > > > > Why are you pointing to the compat tree instead of the normal one? > > You should only use compat tree for two reasons: > > - your POSIX client does not understand RFC2307bis > > - your POSIX client does not use recent SSSD and you want to have trust > to > > Active Directory working. > > > > For the rest of cases you should really point your POSIX clients to the > > main subtree, not the compat one. > > -- > > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Sep 21 19:29:24 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Sep 2015 21:29:24 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> Message-ID: <20150921192924.GQ13819@hendrix.redhat.com> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > I've narrowed it down a bit doing some testing. The sudo rules work when > > I remove the user group restriction from them. My sudo rules all have my ad > > groups in the rule > > > > > > Rule name: ad_linux_admins > > > Enabled: TRUE > > > Host category: all > > > Command category: all > > > RunAs User category: all > > > RunAs Group category: all > > > User Groups: ad_linux_admins <- if I remove this then the rule gets > > applied > > > > Nice catch. Is the group visible after you login and run id? > > > > What is the exact IPA server version? > > Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied. > > I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11 > > %@ "sudo commands" > > That rule was not applied. If I remove the then the rule got applied. > > On a server running sssd 1.12 that rule works, but does not work if I remove the . And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear. > > They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment. > > So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now Hello Andy, I'm sorry for the constant delays, but I was busy with some trust-related fixes lately. Did you have a chance to confirm that just swapping sssd /on the client/ while keeping the same version on the server fixes the issue for you? Pavel (CC), can you help me out here, please? I have the setup ready on my machine, so tomorrow we can take a look and experiment (I can give you access to my environment via tmate maybe..), but I wasn't able to reproduce the issue locally yet. From abokovoy at redhat.com Mon Sep 21 19:40:07 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 21 Sep 2015 22:40:07 +0300 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: References: <20150919164952.GB8415@redhat.com> Message-ID: <20150921194007.GD8415@redhat.com> On Mon, 21 Sep 2015, Gustavo Mateus wrote: >Hi Alexander, > >Thank you very much for your help. >Would it be possible for you to point me in the right direction on how to >integrate this with sudo rules? Please don't send emails personally unless asked to do that. Your problem can be tracked with public mailing list. >my sssd.conf looks like this: > >[sssd] >services = nss, pam, ssh, sudo >config_file_version = 2 >domains = default >re_expression = (?P.+) > >[domain/default] >cache_credentials = True >id_provider = ldap >auth_provider = ldap >ldap_uri = ldap://ipaserver.my.domain.com >ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com >ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt >ldap_user_ssh_public_key = ipaSshPubKey >sudo_provider = ldap >ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com >ldap_sudo_full_refresh_interval=86400 >ldap_sudo_smart_refresh_interval=3600 >debug_level=8 > >[ssh] > >[sudo] >debug_level=8 > > >and nsswitch.conf has this: > >sudoers: files sss > > > >My goal is to have freeipa as a replacement for the current openldap and >hope that amazon linux supports it fully in the future. While they don't >support it, I want to use as much as I can of centralized management that >freeipa+sssd provides. SSSD has own plugin for sudo integration that makes possible to cache sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which tries to talk to LDAP server directly. You need to understand what features are provided by Amazon Linux's sudo package. It may well be missing support for sudo plugins. I don't have access to Amazon Linux source code, thus I cannot check whether their sudo package supports external plugins. So even if your sssd version includes sudo plugin, it may probably be simply unused by your sssd version. Again, I have no idea how Amazon's Linux AMI is built, thus it may miss this capability. At this point I'd suggest you to investigate yourself and contact Amazon support for finding out exactly what is happening there. -- / Alexander Bokovoy From Andy.Thompson at e-tcc.com Mon Sep 21 19:39:01 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 21 Sep 2015 19:39:01 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150921192924.GQ13819@hendrix.redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> Message-ID: <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > Sent: Monday, September 21, 2015 3:29 PM > To: Andy Thompson > Cc: freeipa-users at redhat.com; pbrezina at redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > > I've narrowed it down a bit doing some testing. The sudo rules > > > > work when > > > I remove the user group restriction from them. My sudo rules all > > > have my ad groups in the rule > > > > > > > > Rule name: ad_linux_admins > > > > Enabled: TRUE > > > > Host category: all > > > > Command category: all > > > > RunAs User category: all > > > > RunAs Group category: all > > > > User Groups: ad_linux_admins <- if I remove this then the rule > > > > gets > > > applied > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > What is the exact IPA server version? > > > > Ok I also figured out if I rename my AD groups to match my IPA groups then > the sudo rules are applied. > > > > I tested a couple things though, if I put a rule in the local sudoers > > file on a server running sssd 1.11 > > > > %@ "sudo commands" > > > > That rule was not applied. If I remove the then the rule got > applied. > > > > On a server running sssd 1.12 that rule works, but does not work if I > remove the . And none of the IPA sudo rules work. So > something changed with the domain suffix between versions it would > appear. > > > > They key to making the IPA sudo rules work in 1.12 is to remove the > default_domain_suffix setting in the sssd.conf, but that's not an option in my > environment. > > > > So all the moving parts together, it appears that having AD groups > > with a different name than the IPA groups in conjunction with the > > default_domain_suffix setting breaks things right now in 1.12. > > Appears since I renamed the ad group to match then the rule without a > > domain suffix will get matched now > > Hello Andy, > > I'm sorry for the constant delays, but I was busy with some trust-related fixes > lately. > > Did you have a chance to confirm that just swapping sssd /on the client/ > while keeping the same version on the server fixes the issue for you? > > Pavel (CC), can you help me out here, please? I have the setup ready on my > machine, so tomorrow we can take a look and experiment (I can give you > access to my environment via tmate maybe..), but I wasn't able to reproduce > the issue locally yet. It's fine I understand the backlog. I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? -andy From jhrozek at redhat.com Mon Sep 21 19:56:25 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Sep 2015 21:56:25 +0200 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150921194007.GD8415@redhat.com> References: <20150919164952.GB8415@redhat.com> <20150921194007.GD8415@redhat.com> Message-ID: <20150921195625.GW13819@hendrix.redhat.com> On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote: > At this point I'd suggest you to investigate yourself and contact Amazon > support for finding out exactly what is happening there. It would be nice if Amazon actually packaged all the functionality RHEL packages for several years :-) But maybe there are some issues preventing them -- filing a support case and asking them might go a long way. I'm sure if Amazon approached us on this (or the -devel) list we'd be glad to work with them on any technical issues.. From abokovoy at redhat.com Mon Sep 21 20:03:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 21 Sep 2015 23:03:26 +0300 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150921195625.GW13819@hendrix.redhat.com> References: <20150919164952.GB8415@redhat.com> <20150921194007.GD8415@redhat.com> <20150921195625.GW13819@hendrix.redhat.com> Message-ID: <20150921200326.GA4459@redhat.com> On Mon, 21 Sep 2015, Jakub Hrozek wrote: >On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote: >> At this point I'd suggest you to investigate yourself and contact Amazon >> support for finding out exactly what is happening there. > >It would be nice if Amazon actually packaged all the functionality RHEL >packages for several years :-) > >But maybe there are some issues preventing them -- filing a support case >and asking them might go a long way. I'm sure if Amazon approached us on >this (or the -devel) list we'd be glad to work with them on any >technical issues.. According to Amazon, they have issues with packaging Samba. I'd let them to respond themselves, given they are the only ones who can respond on why they are so insisting on not packaging Samba while providing one of key infrastructure parts of AWS via Samba AD. https://forums.aws.amazon.com/thread.jspa?threadID=164971 -- / Alexander Bokovoy From jhrozek at redhat.com Mon Sep 21 20:09:43 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Sep 2015 22:09:43 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> Message-ID: <20150921200943.GY13819@hendrix.redhat.com> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > > -----Original Message----- > > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > > Sent: Monday, September 21, 2015 3:29 PM > > To: Andy Thompson > > Cc: freeipa-users at redhat.com; pbrezina at redhat.com > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > > > I've narrowed it down a bit doing some testing. The sudo rules > > > > > work when > > > > I remove the user group restriction from them. My sudo rules all > > > > have my ad groups in the rule > > > > > > > > > > Rule name: ad_linux_admins > > > > > Enabled: TRUE > > > > > Host category: all > > > > > Command category: all > > > > > RunAs User category: all > > > > > RunAs Group category: all > > > > > User Groups: ad_linux_admins <- if I remove this then the rule > > > > > gets > > > > applied > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > What is the exact IPA server version? > > > > > > Ok I also figured out if I rename my AD groups to match my IPA groups then > > the sudo rules are applied. > > > > > > I tested a couple things though, if I put a rule in the local sudoers > > > file on a server running sssd 1.11 > > > > > > %@ "sudo commands" > > > > > > That rule was not applied. If I remove the then the rule got > > applied. > > > > > > On a server running sssd 1.12 that rule works, but does not work if I > > remove the . And none of the IPA sudo rules work. So > > something changed with the domain suffix between versions it would > > appear. > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove the > > default_domain_suffix setting in the sssd.conf, but that's not an option in my > > environment. > > > > > > So all the moving parts together, it appears that having AD groups > > > with a different name than the IPA groups in conjunction with the > > > default_domain_suffix setting breaks things right now in 1.12. > > > Appears since I renamed the ad group to match then the rule without a > > > domain suffix will get matched now > > > > Hello Andy, > > > > I'm sorry for the constant delays, but I was busy with some trust-related fixes > > lately. > > > > Did you have a chance to confirm that just swapping sssd /on the client/ > > while keeping the same version on the server fixes the issue for you? > > > > Pavel (CC), can you help me out here, please? I have the setup ready on my > > machine, so tomorrow we can take a look and experiment (I can give you > > access to my environment via tmate maybe..), but I wasn't able to reproduce > > the issue locally yet. > > It's fine I understand the backlog. > > I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? > > -andy > What failures are you getting? I normally just download all \*sss\* packages and then downgrade with rpm -U --oldpackage. From Andy.Thompson at e-tcc.com Mon Sep 21 20:42:11 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 21 Sep 2015 20:42:11 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150921200943.GY13819@hendrix.redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> Message-ID: <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> > On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > > > -----Original Message----- > > > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > > > Sent: Monday, September 21, 2015 3:29 PM > > > To: Andy Thompson > > > Cc: freeipa-users at redhat.com; pbrezina at redhat.com > > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > > > On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > > > > I've narrowed it down a bit doing some testing. The sudo > > > > > > rules work when > > > > > I remove the user group restriction from them. My sudo rules > > > > > all have my ad groups in the rule > > > > > > > > > > > > Rule name: ad_linux_admins > > > > > > Enabled: TRUE > > > > > > Host category: all > > > > > > Command category: all > > > > > > RunAs User category: all > > > > > > RunAs Group category: all > > > > > > User Groups: ad_linux_admins <- if I remove this then the > > > > > > rule gets > > > > > applied > > > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > > > What is the exact IPA server version? > > > > > > > > Ok I also figured out if I rename my AD groups to match my IPA > > > > groups then > > > the sudo rules are applied. > > > > > > > > I tested a couple things though, if I put a rule in the local > > > > sudoers file on a server running sssd 1.11 > > > > > > > > %@ "sudo commands" > > > > > > > > That rule was not applied. If I remove the then the > > > > rule got > > > applied. > > > > > > > > On a server running sssd 1.12 that rule works, but does not work > > > > if I > > > remove the . And none of the IPA sudo rules work. So > > > something changed with the domain suffix between versions it would > > > appear. > > > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove > > > > the > > > default_domain_suffix setting in the sssd.conf, but that's not an > > > option in my environment. > > > > > > > > So all the moving parts together, it appears that having AD groups > > > > with a different name than the IPA groups in conjunction with the > > > > default_domain_suffix setting breaks things right now in 1.12. > > > > Appears since I renamed the ad group to match then the rule > > > > without a domain suffix will get matched now > > > > > > Hello Andy, > > > > > > I'm sorry for the constant delays, but I was busy with some > > > trust-related fixes lately. > > > > > > Did you have a chance to confirm that just swapping sssd /on the > > > client/ while keeping the same version on the server fixes the issue for > you? > > > > > > Pavel (CC), can you help me out here, please? I have the setup ready > > > on my machine, so tomorrow we can take a look and experiment (I can > > > give you access to my environment via tmate maybe..), but I wasn't > > > able to reproduce the issue locally yet. > > > > It's fine I understand the backlog. > > > > I was not able to backrev the sssd due to dependency issues. I tried > downgrading all the dependencies and got in a loop and stopped trying. Are > there any tricks you can think of to downgrade the sssd cleanly? > > > > -andy > > > > What failures are you getting? I normally just download all \*sss\* packages > and then downgrade with rpm -U --oldpackage. I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If include all the deps it lists yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python-sssdconfig I get multilib errors with libsss_idmap. Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me look into that and see what repo it sits in and see if I can figure out why it's not pulling in. -andy From Andy.Thompson at e-tcc.com Mon Sep 21 20:53:22 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 21 Sep 2015 20:53:22 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> Message-ID: > > On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > > > > -----Original Message----- > > > > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > > > > Sent: Monday, September 21, 2015 3:29 PM > > > > To: Andy Thompson > > > > Cc: freeipa-users at redhat.com; pbrezina at redhat.com > > > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > > > > > On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > > > > > I've narrowed it down a bit doing some testing. The sudo > > > > > > > rules work when > > > > > > I remove the user group restriction from them. My sudo rules > > > > > > all have my ad groups in the rule > > > > > > > > > > > > > > Rule name: ad_linux_admins > > > > > > > Enabled: TRUE > > > > > > > Host category: all > > > > > > > Command category: all > > > > > > > RunAs User category: all > > > > > > > RunAs Group category: all > > > > > > > User Groups: ad_linux_admins <- if I remove this then the > > > > > > > rule gets > > > > > > applied > > > > > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > > > > > What is the exact IPA server version? > > > > > > > > > > Ok I also figured out if I rename my AD groups to match my IPA > > > > > groups then > > > > the sudo rules are applied. > > > > > > > > > > I tested a couple things though, if I put a rule in the local > > > > > sudoers file on a server running sssd 1.11 > > > > > > > > > > %@ "sudo commands" > > > > > > > > > > That rule was not applied. If I remove the then > > > > > the rule got > > > > applied. > > > > > > > > > > On a server running sssd 1.12 that rule works, but does not work > > > > > if I > > > > remove the . And none of the IPA sudo rules work. So > > > > something changed with the domain suffix between versions it would > > > > appear. > > > > > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove > > > > > the > > > > default_domain_suffix setting in the sssd.conf, but that's not an > > > > option in my environment. > > > > > > > > > > So all the moving parts together, it appears that having AD > > > > > groups with a different name than the IPA groups in conjunction > > > > > with the default_domain_suffix setting breaks things right now in > 1.12. > > > > > Appears since I renamed the ad group to match then the rule > > > > > without a domain suffix will get matched now > > > > > > > > Hello Andy, > > > > > > > > I'm sorry for the constant delays, but I was busy with some > > > > trust-related fixes lately. > > > > > > > > Did you have a chance to confirm that just swapping sssd /on the > > > > client/ while keeping the same version on the server fixes the > > > > issue for > > you? > > > > > > > > Pavel (CC), can you help me out here, please? I have the setup > > > > ready on my machine, so tomorrow we can take a look and experiment > > > > (I can give you access to my environment via tmate maybe..), but I > > > > wasn't able to reproduce the issue locally yet. > > > > > > It's fine I understand the backlog. > > > > > > I was not able to backrev the sssd due to dependency issues. I > > > tried > > downgrading all the dependencies and got in a loop and stopped trying. > > Are there any tricks you can think of to downgrade the sssd cleanly? > > > > > > -andy > > > > > > > What failures are you getting? I normally just download all \*sss\* > > packages and then downgrade with rpm -U --oldpackage. > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If > include all the deps it lists > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd- > krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python- > sssdconfig > > I get multilib errors with libsss_idmap. > > Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me > look into that and see what repo it sits in and see if I can figure out why it's > not pulling in. No it appears to be there libsss_idmap-1.9.2-82.el6.i686 : FreeIPA Idmap library libsss_idmap-1.9.2-82.el6.x86_64 : FreeIPA Idmap library libsss_idmap-1.9.2-82.4.el6_4.i686 : FreeIPA Idmap library libsss_idmap-1.9.2-82.4.el6_4.x86_64 : FreeIPA Idmap library libsss_idmap-1.9.2-82.7.el6_4.i686 : FreeIPA Idmap library libsss_idmap-1.9.2-82.7.el6_4.x86_64 : FreeIPA Idmap library libsss_idmap-1.9.2-82.10.el6_4.i686 : FreeIPA Idmap library libsss_idmap-1.9.2-82.10.el6_4.x86_64 : FreeIPA Idmap library libsss_idmap-1.11.6-30.el6_6.3.i686 : FreeIPA Idmap library libsss_idmap-1.11.6-30.el6_6.3.x86_64 : FreeIPA Idmap library libsss_idmap-1.11.6-30.el6_6.4.i686 : FreeIPA Idmap library libsss_idmap-1.11.6-30.el6_6.4.x86_64 : FreeIPA Idmap library libsss_idmap-1.12.4-47.el6.i686 : FreeIPA Idmap library libsss_idmap-1.12.4-47.el6.x86_64 : FreeIPA Idmap library libsss_idmap-1.12.4-47.el6.x86_64 : FreeIPA Idmap library but when I try to downgrade I get --> Finished Dependency Resolution Error: Package: sssd-common-1.12.4-47.el6.x86_64 (installed) Requires: libsss_idmap(x86-64) = 1.12.4-47.el6 Removing: libsss_idmap-1.12.4-47.el6.x86_64 (installed) libsss_idmap(x86-64) = 1.12.4-47.el6 Downgraded By: libsss_idmap-1.11.6-30.el6_6.4.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.11.6-30.el6_6.4 Available: libsss_idmap-1.9.2-82.el6.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.9.2-82.el6 Available: libsss_idmap-1.9.2-82.4.el6_4.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.9.2-82.4.el6_4 Available: libsss_idmap-1.9.2-82.7.el6_4.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.9.2-82.7.el6_4 Available: libsss_idmap-1.9.2-82.10.el6_4.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.9.2-82.10.el6_4 Available: libsss_idmap-1.11.6-30.el6_6.3.x86_64 (rhel-myrepo) libsss_idmap(x86-64) = 1.11.6-30.el6_6.3 Error: Package: sssd-common-1.12.4-47.el6.x86_64 (installed) Requires: libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit) Removing: libsss_idmap-1.12.4-47.el6.x86_64 (installed) libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit) Downgraded By: libsss_idmap-1.11.6-30.el6_6.4.x86_64 (rhel-myrepo) Not found -andy From duncan.mcnaught at bitnet.io Mon Sep 21 22:49:42 2015 From: duncan.mcnaught at bitnet.io (Duncan McNaught) Date: Mon, 21 Sep 2015 16:49:42 -0600 Subject: [Freeipa-users] otp issue: can't log in with password+otp Message-ID: Dear freeipa-users, I'm having an issue with otp in freeipa. I can set up the service as described in the blog post for TOTP or HOTP, and sync the token fine. When I try to login to the admin tools or an ipa-managed client (with ) , I get a password incorrect message. Here are some more details: https://github.com/adelton/docker-freeipa/issues/34 Can anyone help me to debug/get this working? Thanks --Duncan -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Mon Sep 21 23:03:54 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Mon, 21 Sep 2015 23:03:54 +0000 Subject: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers In-Reply-To: <55FBCEDE.7090906@redhat.com> References: <55FAA0DB.80201@redhat.com> <55FAAAF2.9070904@redhat.com> <55FBCEDE.7090906@redhat.com> Message-ID: -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Friday, September 18, 2015 1:44 AM To: Craig White; Martin Kosek; freeipa-users at redhat.com; Jan Cholasta Subject: Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers On 09/17/2015 06:19 PM, Craig White wrote: > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Thursday, September 17, 2015 4:59 AM > To: Martin Kosek; Craig White; freeipa-users at redhat.com; Jan Cholasta > Subject: Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA > 3.0.0) servers > >>> What's the trick to get rid of an old, discontinued 'master' ? >>> >>> Craig White >> >> Quickly looking at ipa-replica-manage code, the del command will end >> if there is no RUV. So it seems that in some of your previous RUV was >> deleted, but server record was not. >> >> What does >> # ipa-replica-manage list-ruv >> show? >> >> Petr or Honza, is the only option here to >> 1) Use ldapdelete to delete the master record in cn=masters as a >> hotfix for this issue > > It will fix the replica manage output but replica cleanup does more things than just a removal of master entry. It also: > deletes services of the host This part could be done in web ui - check for /ipa1.stt.local at STT.LOCAL where is usually DNS, HTTP and ldap ---- The webui also shows a dogtag/ipa1.stt.local at STT.LOCAL but no other dogtag URL's (like the new master). Is it no longer needed or should it be changed to the new CA-master? ---- > removes s4u2proxy configuration > removes some ACIs > > More info: > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/r > eplication.py#n1185 > > >> 2) File a ticket to avoid get_ruv function exit the whole "del" >> command when --force is in play to fix this long-term > > https://fedorahosted.org/freeipa/ticket/5307 > ---- > OK - I think I see the LDAP entries and just wanting confirmation > before I do great harm :-) > > Dn: cn=ipa1.stt.local,cn=masters,cn=ipa,cn=etc,dc=stt,dc=local yes If by ipa1_ETC you mean (assuming that your realm is STT.LOCAL): > Dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=stt,dc=local - > attribute memberPrincipal ipa1_ETC HTTP/ipa1.stt.local at STT.LOCAL > Dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=stt,dc=local > - attribute memberPrincipal ipa1_ETC ldap/ipa1.stt.local at STT.LOCAL > > The one DN and the 2 attributes are what I should delete to get rid of this dead master? > > Rummaging around, I do see other hanging chads (pardon the election season humor)... > > DN: dnaHostname ipa1.stt.local + > 0,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently > 'dnaPortNum 0 and dnaSecurePortNum 636) > DN: dnaHostname ipa1.stt.local + > 389,cn=posix-ids,cn=dna,cn=etc,dc=stt,dc=local (that is apparently > 'dnaPortNum 389 and dnaSecurePortNum 636) > > And if were to delete the first one, there wouldn't be any entries pointing to port '0' but that just looks strange to me anyway. If I delete both the above, then all that is left is just the 2 new RHEL 7 IPA/iDM servers on ports 389/636 which seems right to me. Check if the DNA range configuration for the deleted master does contain dna RemainingValues other than 0. In that case you might want to check DNA configuration of other masters to be sure that other master can issue posix numbers. DNA ranges could be also configured using ipa-replica-manage. ----- Yes, the other servers are there and seem to handle the right stuff ----- > > If there are actual ACI's to edit, I am afraid I don't have a tool to do that very easily. Could be seen e.g., when browsing LDAP structure in Apache Directory studio as Directory Manager. It's 'aci' attribute of entry cn=masters,cn=ipa,cn=etc,$SUFFIX There should be two which contain the deleted replica hostname. One has name "Read IPA Masters" the other "Modify IPA Masters". ---- Not sure I understand. There are entries for the 3 servers in question Ipa1, ipa3, ipa4 but in cn=masters,cn=ipa,cn=etc,$SUFFIX there isn't anything (i.e. attributes) that are called IPA Masters or Modify IPA Masters under any of them. Thanks From contactus at silverskysoft.com Tue Sep 22 01:44:30 2015 From: contactus at silverskysoft.com (Silver Sky Soft Services, Inc.) Date: Mon, 21 Sep 2015 18:44:30 -0700 Subject: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA Message-ID: Hi all, Recently we needed to create a subordinate CA in FreeIPA and conveniently used the certificate profile feature in 4.2.0. For benefit of others, I have documented this in our blog, http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ Any comments are appreciated. Summary of the profile is: *) Set the CA flag set to true *) Set the appropriate Key Usage constraint. policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false We have verified the certs issued with Sub-CA are accepted in browsers where only the Root CA is set as trusted. -Kiran From ftweedal at redhat.com Tue Sep 22 02:54:38 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 22 Sep 2015 12:54:38 +1000 Subject: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA In-Reply-To: References: Message-ID: <20150922025438.GO16937@dhcp-40-8.bne.redhat.com> On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote: > Hi all, > Recently we needed to create a subordinate CA in FreeIPA and > conveniently used the certificate profile feature in 4.2.0. For > benefit of others, I have documented this in our blog, > > http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ > > Any comments are appreciated. > > Summary of the profile is: > *) Set the CA flag set to true > *) Set the appropriate Key Usage constraint. > > policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true > policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 > policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 > policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl > policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default > policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true > policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true > policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 > policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl > policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint > policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true > policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true > policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true > policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true > policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true > policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false > policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false > > We have verified the certs issued with Sub-CA are accepted in browsers > where only the Root CA is set as trusted. > > -Kiran > Thank you for sharing, Kiran! A future version of FreeIPA will support creating sub-CAs via a native plugin and allow specifying the desired issuer as an argument to `ipa cert-request' and `ipa-getcert request'. Regarding EV: the list of supported EV policies is maintained by browser vendors and validation includes matching the policy OID with the expected issuer. Accordingly, even with the right Dogtag profile you would have to modify the browser (or, possibly, some configuration that is read by the browser) to attain the green bar. It is probably not worth the effort :) Cheers, Fraser From rstory at tislabs.com Tue Sep 22 03:06:49 2015 From: rstory at tislabs.com (Robert Story) Date: Mon, 21 Sep 2015 23:06:49 -0400 Subject: [Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question Message-ID: <20150921230649.28a30d74@ispx.vb.futz.org> I've followed the migration document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html almost to the end. I'm at step 10, which stops everything on the old . My concern is all the installed servers that are pointing at the old system. That host name is hardcoded in sssd.conf all over my network, and we rely on freeIPA for centralized user management and ssh keys. My original system was auth.example, and the new one is auth-2.example. Is it safe to make auth.example a CNAME to auth-2.example? Or will something somewhere break if the ip address changes (and is pointing at a newer version of freeIP)? Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From contactus at silverskysoft.com Tue Sep 22 03:32:17 2015 From: contactus at silverskysoft.com (Silver Sky Soft Services, Inc.) Date: Mon, 21 Sep 2015 20:32:17 -0700 Subject: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA In-Reply-To: <20150922025438.GO16937@dhcp-40-8.bne.redhat.com> References: <20150922025438.GO16937@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, Thanks. I actually looked at your proposal. It certainly makes it easier. But hopefully the info we put in will help others in need. The EV bar - we are finishing up on a detailed analysis. In summary, its actually not possible to get green bar without recompiling Mozilla/Chrome (which makes it an impractical solution to work with for anything but very small networks). IE on the other hand is simpler if you have AD environment. -Kiran On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedale wrote: > On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote: >> Hi all, >> Recently we needed to create a subordinate CA in FreeIPA and >> conveniently used the certificate profile feature in 4.2.0. For >> benefit of others, I have documented this in our blog, >> >> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ >> >> Any comments are appreciated. >> >> Summary of the profile is: >> *) Set the CA flag set to true >> *) Set the appropriate Key Usage constraint. >> >> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 >> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl >> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default >> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true >> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 >> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl >> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint >> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true >> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false >> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false >> >> We have verified the certs issued with Sub-CA are accepted in browsers >> where only the Root CA is set as trusted. >> >> -Kiran >> > Thank you for sharing, Kiran! > > A future version of FreeIPA will support creating sub-CAs via a > native plugin and allow specifying the desired issuer as an argument > to `ipa cert-request' and `ipa-getcert request'. > > Regarding EV: the list of supported EV policies is maintained by > browser vendors and validation includes matching the policy OID with > the expected issuer. Accordingly, even with the right Dogtag > profile you would have to modify the browser (or, possibly, some > configuration that is read by the browser) to attain the green bar. > It is probably not worth the effort :) > > Cheers, > Fraser From mkosek at redhat.com Tue Sep 22 06:49:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Sep 2015 08:49:00 +0200 Subject: [Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question In-Reply-To: <20150921230649.28a30d74@ispx.vb.futz.org> References: <20150921230649.28a30d74@ispx.vb.futz.org> Message-ID: <5600F9DC.5020905@redhat.com> On 09/22/2015 05:06 AM, Robert Story wrote: > I've followed the migration document > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > almost to the end. > > I'm at step 10, which stops everything on the old . My concern is all > the installed servers that are pointing at the old system. That host name > is hardcoded in sssd.conf all over my network, and we rely on freeIPA for > centralized user management and ssh keys. > > My original system was auth.example, and the new one is auth-2.example. Is > it safe to make auth.example a CNAME to auth-2.example? Or will something > somewhere break if the ip address changes (and is pointing at a newer > version of freeIP)? I wouldn't be too afraid of the IP address change, but rather the CNAME itself and Kerberos authentication against the CNAME'ed old FreeIPA server. But I think Alexander had some ideas how to make such setups working. As for the clients, if you use DNS SRV records, you should be fine, even if the original server is listed in sssd.conf - well, as long as it server list also has "_srv_" in it which ipa-client-install adds if DNS SRV check passes. From abokovoy at redhat.com Tue Sep 22 07:32:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 22 Sep 2015 10:32:44 +0300 Subject: [Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question In-Reply-To: <5600F9DC.5020905@redhat.com> References: <20150921230649.28a30d74@ispx.vb.futz.org> <5600F9DC.5020905@redhat.com> Message-ID: <20150922073244.GB4459@redhat.com> On Tue, 22 Sep 2015, Martin Kosek wrote: >On 09/22/2015 05:06 AM, Robert Story wrote: >> I've followed the migration document >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> almost to the end. >> >> I'm at step 10, which stops everything on the old . My concern is all >> the installed servers that are pointing at the old system. That host name >> is hardcoded in sssd.conf all over my network, and we rely on freeIPA for >> centralized user management and ssh keys. >> >> My original system was auth.example, and the new one is auth-2.example. Is >> it safe to make auth.example a CNAME to auth-2.example? Or will something >> somewhere break if the ip address changes (and is pointing at a newer >> version of freeIP)? > >I wouldn't be too afraid of the IP address change, but rather the CNAME itself >and Kerberos authentication against the CNAME'ed old FreeIPA server. But I >think Alexander had some ideas how to make such setups working. Yes, for this specific use case you can make auth.example a CNAME to auth-2.example. On Kerberos level all systems will be asking for tickets to an A record behind the CNAME, so they will get a correct ticket to the service. >As for the clients, if you use DNS SRV records, you should be fine, even if the >original server is listed in sssd.conf - well, as long as it server list also >has "_srv_" in it which ipa-client-install adds if DNS SRV check passes. Correct. -- / Alexander Bokovoy From tbordaz at redhat.com Tue Sep 22 11:12:48 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 22 Sep 2015 13:12:48 +0200 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: References: <55FBC2AB.7060302@redhat.com> Message-ID: <560137B0.3080904@redhat.com> Hi, If it hangs again, could you get a pstack of the slapd process And also dump the db info 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This would help to know which thread holds the lock that that blocks those operations ? thanks thierry On 09/18/2015 09:20 PM, HECTOR LOPEZ wrote: > > > Ludwig Krispenz, > > This is the output of gstack on ns-slapd (pstack on rhel), also > killing the ns-slapd proces gave this error "ipa: ERROR: cannot > connect to 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': " > After that I could use ipactl restart and the command runs > successfully. Thank you for helping me. Again, here is the pstack > output of ns-slapd: > > > -sh-4.2$ sudo gstack 2197 > > Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc11e4a7 in deadlock_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc122576 in checkpoint_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc11e71f in trickle_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc119437 in perf_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ae058164e in cos_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libcos-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): > > #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 > > #1 0x00007f3addf0247c in ipa_cldap_worker () from > /usr/lib64/dirsrv/plugins/libipa_cldap.so > > #2 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae9e21a93 in housecleaning () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae9914188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from > /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from > /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from > /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #21 0x00007f3ae99501de in search_internal_callback_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #22 0x00007f3ae9950478 in search_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #23 0x00007f3ae9e291fb in ids_sasl_canon_user () > > #24 0x00007f3ae7afd93b in _sasl_canon_user () from /lib64/libsasl2.so.3 > > #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from > /lib64/libsasl2.so.3 > > #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 () from > /usr/lib64/sasl2/libcrammd5.so > > #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from > /usr/lib64/sasl2/libcrammd5.so > > #28 0x00007f3ae7b09b88 in sasl_server_step () from /lib64/libsasl2.so.3 > > #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () > > #30 0x00007f3ae9e13b22 in do_bind () > > #31 0x00007f3ae9e1a43f in connection_threadmain () > > #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #33 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from > /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from > /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > > #10 0x00007f3ae237d843 in __db_get () from /lib64/libdb-5.3.so > > > #11 0x00007f3ae2381123 in __db_get_pp () from /lib64/libdb-5.3.so > > > #12 0x00007f3adc12949b in id2entry () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc14f7dd in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3ae9900190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > > #15 0x00007f3ae9900342 in delete_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #16 0x00007f3adba44739 in mep_del_post_op () from > /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so > > #17 0x00007f3ae994c280 in plugin_call_func () from > /usr/lib64/dirsrv/libslapd.so.0 > > #18 0x00007f3ae994c4d8 in plugin_call_plugins () from > /usr/lib64/dirsrv/libslapd.so.0 > > #19 0x00007f3adc14e42e in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3ae9900190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > > #21 0x00007f3ae9900453 in do_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > > #22 0x00007f3ae9e1a37e in connection_threadmain () > > #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #24 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3ae9e1b2c5 in time_thread () > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae0376374 in sync_send_results () from > /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e25c85 in ps_send_results () > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): > > #0 0x00007f3ae76e3f7d in __lll_lock_wait () from /lib64/libpthread.so.0 > > #1 0x00007f3ae76dfd68 in _L_lock_975 () from /lib64/libpthread.so.0 > > #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from > /lib64/libpthread.so.0 > > #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so > > #4 0x00007f3ae9e1def6 in slapd_daemon () > > #5 0x00007f3ae9e1117c in main () > > -sh-4.2$ > > > On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz > wrote: > > > On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: >> This is rhel 7.1 with ipa version 4.1.0 >> >> user-show shows the user. However, if the user contains >> ipaNTSecurityIdentifier: attribute, user-del hangs with no response. >> >> Meanwhile, the KDC and 389ds stop working. The only way to >> recover functionality is to reboot the machine. ipactl restart >> does nothing. > If it hangs again, could you get a pstack of the slapd process ? > If you then kill slapd, does ipactl restart work ? > >> >> In the ldap access log I see this when trying to delete user sclown: >> >> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL >> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" >> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD >> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" >> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH >> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 >> filter="(objectClass=securityDomainSessionEntry)" attrs="cn" >> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=INVALID)" attrs="objectClass serialno >> notBefore notAfter duration extension subjectName userCertificate >> version algorithmId signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV >> 200:0:20150914093009Z 1:0 (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=VALID)" attrs="objectClass serialno notBefore >> notAfter duration extension subjectName userCertificate version >> algorithmId signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV >> 200:0:20150914093009Z 1:10 (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn >> serialno revInfo notAfter notBefore duration extension >> subjectName userCertificate version algorithmId >> signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV >> 200:0:20150914093009Z 0:0 (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 >> nentries=0 etime=0 notes=U >> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="description" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND >> >> Then in the ldap error log I see this, which makes me think there >> is a problem with the changelog: >> >> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for >> changenumber=91314,cn=changelog from entryrdn index (-30993) >> [14/Sep/2015:09:30:03 -0700] - Operation error fetching >> changenumber=91314,cn=changelog (null), error -30993. >> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error >> occured while adding change number 91314, dn = >> changenumber=91314,cn=changelog: Operations error. >> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: >> operation failure [1] >> >> After this both kdc and ldap stop responding. In the krb5kdc.log >> I see server errors after the user-del command is run. The only >> way to resume normal operations is to restart the whole machine. >> ipactl restart doesn't work. >> >> Any help would be highly appreciated! >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wdh at dds.nl Tue Sep 22 12:27:09 2015 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 22 Sep 2015 14:27:09 +0200 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <20150922073244.GB4459@redhat.com> References: <20150921230649.28a30d74@ispx.vb.futz.org> <5600F9DC.5020905@redhat.com> <20150922073244.GB4459@redhat.com> Message-ID: <5601491D.5070706@dds.nl> An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Tue Sep 22 12:55:53 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 22 Sep 2015 08:55:53 -0400 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: References: Message-ID: <1442926553.10697.70.camel@redhat.com> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > Dear freeipa-users, > > I'm having an issue with otp in freeipa. I can set up the service as > described in the blog post for TOTP or HOTP, and sync the token fine. > When I try to login to the admin tools or an ipa-managed client > (with ) , I get a password incorrect message. > Here are some more details: https://github.com/adelton/docker-freeipa > /issues/34 > Can anyone help me to debug/get this working? I'm very unclear as to what you are trying to do. Are you trying to run FreeIPA in a container? If so, Jan is probably your man. AFAIK, ipa-otpd will require systemd in the container. If you are trying to run this on CentOS 7.1 (not a container), it seems to me that your LDAP server isn't running or something is wrong with ldapi. Can you explain your setup in more detail? Nathaniel From michael.anderson at elegosoft.com Tue Sep 22 10:41:58 2015 From: michael.anderson at elegosoft.com (Michael Anderson) Date: Tue, 22 Sep 2015 12:41:58 +0200 Subject: [Freeipa-users] [Import existing CA Cert] Message-ID: <56013076.6010801@elegosoft.com> Hi All, we're evaluation freeipa/dogtag as a pki management service and hoping to replace our existing menagerie of bash/openssl scripts. I'm trying to establish a migration path for our existing pki solution and have a few questions: * how can I import and use our existing CA signing cert? * can I import existing server certs and keys? * I'm using Fedora22. When I install dogtag-pki, the user page for submitting csr's is available. But when I install the freeipa package, I get a 404 when attempting to access the page. Is this functionality available in freeipa? Thanks! Michael Anderson -- -- Michael Anderson IT Services & Support elego Software Solutions GmbH Gustav-Meyer-Allee 25 Building 12.3 (BIG) room 227 13355 Berlin, Germany phone +49 30 23 45 86 96 michael.anderson at elegosoft.com fax +49 30 23 45 86 95 http://www.elegosoft.com Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194 From james.masson at jmips.co.uk Tue Sep 22 15:02:45 2015 From: james.masson at jmips.co.uk (James Masson) Date: Tue, 22 Sep 2015 16:02:45 +0100 Subject: [Freeipa-users] Automatic IPA CA cert generation Message-ID: <56016D95.3080708@jmips.co.uk> Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these IPAs are self-signed, as part of the normal "ipa-server-install" setup process. We would like to switch to issuing signed intermediate CA certs to the IPAs we deploy. The documentation lists the two part process necessary for this. First "--external-ca" - and then "--external-cert-file" Are there any ways to skip this, and give the setup process a known public/private key+cert up front? I'm hoping to avoid the need to have to use/send this automatically generated CSR every time. thanks James M From duncan.mcnaught at bitnet.io Tue Sep 22 18:10:14 2015 From: duncan.mcnaught at bitnet.io (Duncan McNaught) Date: Tue, 22 Sep 2015 12:10:14 -0600 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <1442926553.10697.70.camel@redhat.com> References: <1442926553.10697.70.camel@redhat.com> Message-ID: Thanks Nathaniel, I am running with Jan's Centos-7 container and I'd like to have Multi-factor Authentication/2FA enabled. He mentioned that systemd is not running in the container, so I guess that explains why 2FA is failing. I wonder if I can get systemd running there. --Duncan Thanks --Duncan ____________________________ Duncan McNaught Infrastructure Engineer Technologies | www.bitnet.io +1 720 240 6575 On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum wrote: > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > Dear freeipa-users, > > > > I'm having an issue with otp in freeipa. I can set up the service as > > described in the blog post for TOTP or HOTP, and sync the token fine. > > When I try to login to the admin tools or an ipa-managed client > > (with ) , I get a password incorrect message. > > Here are some more details: https://github.com/adelton/docker-freeipa > > /issues/34 > > Can anyone help me to debug/get this working? > > I'm very unclear as to what you are trying to do. Are you trying to > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > ipa-otpd will require systemd in the container. > > If you are trying to run this on CentOS 7.1 (not a container), it > seems to me that your LDAP server isn't running or something is wrong > with ldapi. > > Can you explain your setup in more detail? > > Nathaniel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Tue Sep 22 18:12:21 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 22 Sep 2015 14:12:21 -0400 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: References: <1442926553.10697.70.camel@redhat.com> Message-ID: <1442945541.10697.129.camel@redhat.com> Running IPA in a container is very bleading edge. I would not be surprised at all if you run into lots of problems. On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: > Thanks Nathaniel, > I am running with Jan's Centos-7 container and I'd like to have > Multi-factor Authentication/2FA enabled. > He mentioned that systemd is not running in the container, so I > guess that explains why 2FA is failing. I wonder if I can get > systemd running there. > --Duncan > > > Thanks > --Duncan > ____________________________ > Duncan McNaught > Infrastructure Engineer > Technologies | www.bitnet.io > +1 720 240 6575 > > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum t.com> wrote: > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > > Dear freeipa-users, > > > > > > I'm having an issue with otp in freeipa. I can set up the > > service as > > > described in the blog post for TOTP or HOTP, and sync the token > > fine. > > > When I try to login to the admin tools or an ipa-managed client > > > (with ) , I get a password incorrect message. > > > Here are some more details: https://github.com/adelton/docker-fre > > eipa > > > /issues/34 > > > Can anyone help me to debug/get this working? > > > > I'm very unclear as to what you are trying to do. Are you trying to > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > > ipa-otpd will require systemd in the container. > > > > If you are trying to run this on CentOS 7.1 (not a container), it > > seems to me that your LDAP server isn't running or something is > > wrong > > with ldapi. > > > > Can you explain your setup in more detail? > > > > Nathaniel > > From duncan.mcnaught at bitnet.io Tue Sep 22 18:13:21 2015 From: duncan.mcnaught at bitnet.io (Duncan McNaught) Date: Tue, 22 Sep 2015 12:13:21 -0600 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <1442945541.10697.129.camel@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <1442945541.10697.129.camel@redhat.com> Message-ID: I realize that, thanks. That's currently the only problem for us - getting 2FA to work. Thanks --Duncan ____________________________ Duncan McNaught Infrastructure Engineer Technologies | www.bitnet.io +1 720 240 6575 On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallum wrote: > Running IPA in a container is very bleading edge. I would not be > surprised at all if you run into lots of problems. > > On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: > > Thanks Nathaniel, > > I am running with Jan's Centos-7 container and I'd like to have > > Multi-factor Authentication/2FA enabled. > > He mentioned that systemd is not running in the container, so I > > guess that explains why 2FA is failing. I wonder if I can get > > systemd running there. > > --Duncan > > > > > > Thanks > > --Duncan > > ____________________________ > > Duncan McNaught > > Infrastructure Engineer > > Technologies | www.bitnet.io > > +1 720 240 6575 > > > > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum > t.com> wrote: > > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > > > Dear freeipa-users, > > > > > > > > I'm having an issue with otp in freeipa. I can set up the > > > service as > > > > described in the blog post for TOTP or HOTP, and sync the token > > > fine. > > > > When I try to login to the admin tools or an ipa-managed client > > > > (with ) , I get a password incorrect message. > > > > Here are some more details: https://github.com/adelton/docker-fre > > > eipa > > > > /issues/34 > > > > Can anyone help me to debug/get this working? > > > > > > I'm very unclear as to what you are trying to do. Are you trying to > > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > > > ipa-otpd will require systemd in the container. > > > > > > If you are trying to run this on CentOS 7.1 (not a container), it > > > seems to me that your LDAP server isn't running or something is > > > wrong > > > with ldapi. > > > > > > Can you explain your setup in more detail? > > > > > > Nathaniel > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Sep 22 18:22:59 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 22 Sep 2015 21:22:59 +0300 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: References: <1442926553.10697.70.camel@redhat.com> <1442945541.10697.129.camel@redhat.com> Message-ID: <20150922182259.GH29260@redhat.com> On Tue, 22 Sep 2015, Duncan McNaught wrote: >I realize that, thanks. >That's currently the only problem for us - getting 2FA to work. Given that we rely on socket activation for ipa-otpd, you would need to make a wrapper that would listen a unix domain socket and forward the data between ipa-otpd stdin/stdout and that socket. This is what provided to us by systemd. > >Thanks >--Duncan >____________________________ > >Duncan McNaught >Infrastructure Engineer > Technologies | www.bitnet.io >+1 720 240 6575 > >On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallum >wrote: > >> Running IPA in a container is very bleading edge. I would not be >> surprised at all if you run into lots of problems. >> >> On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: >> > Thanks Nathaniel, >> > I am running with Jan's Centos-7 container and I'd like to have >> > Multi-factor Authentication/2FA enabled. >> > He mentioned that systemd is not running in the container, so I >> > guess that explains why 2FA is failing. I wonder if I can get >> > systemd running there. >> > --Duncan >> > >> > >> > Thanks >> > --Duncan >> > ____________________________ >> > Duncan McNaught >> > Infrastructure Engineer >> > Technologies | www.bitnet.io >> > +1 720 240 6575 >> > >> > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum > > t.com> wrote: >> > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: >> > > > Dear freeipa-users, >> > > > >> > > > I'm having an issue with otp in freeipa. I can set up the >> > > service as >> > > > described in the blog post for TOTP or HOTP, and sync the token >> > > fine. >> > > > When I try to login to the admin tools or an ipa-managed client >> > > > (with ) , I get a password incorrect message. >> > > > Here are some more details: https://github.com/adelton/docker-fre >> > > eipa >> > > > /issues/34 >> > > > Can anyone help me to debug/get this working? >> > > >> > > I'm very unclear as to what you are trying to do. Are you trying to >> > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, >> > > ipa-otpd will require systemd in the container. >> > > >> > > If you are trying to run this on CentOS 7.1 (not a container), it >> > > seems to me that your LDAP server isn't running or something is >> > > wrong >> > > with ldapi. >> > > >> > > Can you explain your setup in more detail? >> > > >> > > Nathaniel >> > > >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From Less at imagine-sw.com Tue Sep 22 21:52:38 2015 From: Less at imagine-sw.com (Les Stott) Date: Tue, 22 Sep 2015 21:52:38 +0000 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <5601491D.5070706@dds.nl> References: <20150921230649.28a30d74@ispx.vb.futz.org><5600F9DC.5020905@redhat.com> <20150922073244.GB4459@redhat.com> <5601491D.5070706@dds.nl> Message-ID: <4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> The only way to get around it, because you are using the same domain name, is to use different browsers to visit each site. Firefox for sitea, chrome for siteb. It's got to do with the fact that the Parent certificate name (generated automatically during install) is the same on both and because the domain matches then firefox throws the ssl warning. I have the same thing in my environments for production and dr where the domain name is the same in both. Regards, Les From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de Heiden Sent: Tuesday, 22 September 2015 10:27 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] sec_error_reused_issuer_and_serial Hi all, Playing around with freeipa on Fedora 22 after installing I cannot access the UI. Firefox will tell "sec_error_reused_issuer_and_serial". I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be a conflict in the certificates. After using a different domain name all goes well. I want to test and try a few things on a test Freeipa server using the same domain name. Deleting all certicates in Firefox or even trying a new and clean profile did not help. How can I avoid this conflict? Winfried -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Sep 23 00:59:19 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 23 Sep 2015 10:59:19 +1000 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> References: <20150921230649.28a30d74@ispx.vb.futz.org> <5600F9DC.5020905@redhat.com> <20150922073244.GB4459@redhat.com> <5601491D.5070706@dds.nl> <4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> Message-ID: <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote: > The only way to get around it, because you are using the same > domain name, is to use different browsers to visit each site. > Firefox for sitea, chrome for siteb. > It is not the only way; you can flush your browser cache / offline data for the site and cause the browswer to forget about the issuer. Certainly with Firefox this is possible (I don't use Chromium). Or you can use separate Firefox profiles (again I am unsure if Chromium has this feature) for the separate installations. Or for installations / experimentation, you can specify a different "Organization" component of the root issuer DN when installing FreeIPA. I include a "timestamp" when installing test servers: ipa-server-install --subject 'O=IPA.LOCAL 201508311610' Hope that helps! Fraser > It's got to do with the fact that the Parent certificate name (generated automatically during install) is the same on both and because the domain matches then firefox throws the ssl warning. > > I have the same thing in my environments for production and dr where the domain name is the same in both. > > Regards, > > Les > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de Heiden > Sent: Tuesday, 22 September 2015 10:27 PM > To: freeipa-users at redhat.com > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > Hi all, > > Playing around with freeipa on Fedora 22 after installing I cannot access the UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be a conflict in the certificates. After using a different domain name all goes well. > > I want to test and try a few things on a test Freeipa server using the same domain name. Deleting all certicates in Firefox or even trying a new and clean profile did not help. How can I avoid this conflict? > > Winfried > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Less at imagine-sw.com Wed Sep 23 02:54:29 2015 From: Less at imagine-sw.com (Les Stott) Date: Wed, 23 Sep 2015 02:54:29 +0000 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> References: <20150921230649.28a30d74@ispx.vb.futz.org><5600F9DC.5020905@redhat.com><20150922073244.GB4459@redhat.com><5601491D.50 70706@dds.nl><4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> Message-ID: <4ED173A868981548967B4FCA2707222628227774@AACMBXP04.exchserver.com> > -----Original Message----- > From: Fraser Tweedale [mailto:ftweedal at redhat.com] > Sent: Wednesday, 23 September 2015 10:59 AM > To: Les Stott > Cc: Winfried de Heiden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial > > On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote: > > The only way to get around it, because you are using the same domain > > name, is to use different browsers to visit each site. > > Firefox for sitea, chrome for siteb. > > > It is not the only way; you can flush your browser cache / offline data for the > site and cause the browswer to forget about the issuer. > Certainly with Firefox this is possible (I don't use Chromium). > This never worked for me. Or if it did, it made siteb accessible, but then sitea had the ssl error and vice versa. > Or you can use separate Firefox profiles (again I am unsure if Chromium has > this feature) for the separate installations. > > Or for installations / experimentation, you can specify a different > "Organization" component of the root issuer DN when installing FreeIPA. I > include a "timestamp" when installing test servers: > > ipa-server-install --subject 'O=IPA.LOCAL 201508311610' Never knew about that option. It would make sense if something like that was the default I think.... Thanks for the info. Regards, Les > > Hope that helps! > Fraser > > > It's got to do with the fact that the Parent certificate name (generated > automatically during install) is the same on both and because the domain > matches then firefox throws the ssl warning. > > > > I have the same thing in my environments for production and dr where the > domain name is the same in both. > > > > Regards, > > > > Les > > > > From: freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de > > Heiden > > Sent: Tuesday, 22 September 2015 10:27 PM > > To: freeipa-users at redhat.com > > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > Hi all, > > > > Playing around with freeipa on Fedora 22 after installing I cannot access the > UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems > to be a conflict in the certificates. After using a different domain name all > goes well. > > > > I want to test and try a few things on a test Freeipa server using the same > domain name. Deleting all certicates in Firefox or even trying a new and clean > profile did not help. How can I avoid this conflict? > > > > Winfried > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project From ftweedal at redhat.com Wed Sep 23 05:55:02 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 23 Sep 2015 15:55:02 +1000 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <4ED173A868981548967B4FCA2707222628227774@AACMBXP04.exchserver.com> References: <20150921230649.28a30d74@ispx.vb.futz.org> <5600F9DC.5020905@redhat.com> <20150922073244.GB4459@redhat.com> <5601491D.5070706@dds.nl> <4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> <4ED173A868981548967B4FCA2707222628227774@AACMBXP04.exchserver.com> Message-ID: <20150923055502.GX16937@dhcp-40-8.bne.redhat.com> On Wed, Sep 23, 2015 at 02:54:29AM +0000, Les Stott wrote: > > > > -----Original Message----- > > From: Fraser Tweedale [mailto:ftweedal at redhat.com] > > Sent: Wednesday, 23 September 2015 10:59 AM > > To: Les Stott > > Cc: Winfried de Heiden; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote: > > > The only way to get around it, because you are using the same domain > > > name, is to use different browsers to visit each site. > > > Firefox for sitea, chrome for siteb. > > > > > It is not the only way; you can flush your browser cache / offline data for the > > site and cause the browswer to forget about the issuer. > > Certainly with Firefox this is possible (I don't use Chromium). > > > > This never worked for me. Or if it did, it made siteb accessible, but then sitea had the ssl error and vice versa. > Yes, you have to keep doing it; it is not a permanent fix :) > > Or you can use separate Firefox profiles (again I am unsure if Chromium has > > this feature) for the separate installations. > > > > Or for installations / experimentation, you can specify a different > > "Organization" component of the root issuer DN when installing FreeIPA. I > > include a "timestamp" when installing test servers: > > > > ipa-server-install --subject 'O=IPA.LOCAL 201508311610' > > Never knew about that option. It would make sense if something like that was the default I think.... > I don't think we want it as a default. A `--test' flag that injects a timestamp or some randomness into the DN might be worthwhile. Cheers, Fraser > Thanks for the info. > > Regards, > > Les > > > > > Hope that helps! > > Fraser > > > > > It's got to do with the fact that the Parent certificate name (generated > > automatically during install) is the same on both and because the domain > > matches then firefox throws the ssl warning. > > > > > > I have the same thing in my environments for production and dr where the > > domain name is the same in both. > > > > > > Regards, > > > > > > Les > > > > > > From: freeipa-users-bounces at redhat.com > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de > > > Heiden > > > Sent: Tuesday, 22 September 2015 10:27 PM > > > To: freeipa-users at redhat.com > > > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > > > Hi all, > > > > > > Playing around with freeipa on Fedora 22 after installing I cannot access the > > UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > > > > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems > > to be a conflict in the certificates. After using a different domain name all > > goes well. > > > > > > I want to test and try a few things on a test Freeipa server using the same > > domain name. Deleting all certicates in Firefox or even trying a new and clean > > profile did not help. How can I avoid this conflict? > > > > > > Winfried > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > From mkosek at redhat.com Wed Sep 23 07:07:31 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Sep 2015 09:07:31 +0200 Subject: [Freeipa-users] [Import existing CA Cert] In-Reply-To: <56013076.6010801@elegosoft.com> References: <56013076.6010801@elegosoft.com> Message-ID: <56024FB3.2060009@redhat.com> On 09/22/2015 12:41 PM, Michael Anderson wrote: > Hi All, > > we're evaluation freeipa/dogtag as a pki management service and hoping to > replace our existing menagerie of bash/openssl scripts. I'm trying to establish > a migration path for our existing pki solution and have a few questions: Hi Michael, Before you continue with the project, please keep in mind that FreeIPA PKI capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. It does not allow you to generate completely random certificates (at the moment). > * how can I import and use our existing CA signing cert? > * can I import existing server certs and keys? Could you create FreeIPA server CA as subordinate CA to your current CA? To me, it seems the easiest way as I do not think we have some nice CLIs to inject existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they have an idea. More here: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > * I'm using Fedora22. When I install dogtag-pki, the user page for submitting > csr's is available. But when I install the freeipa package, I get a 404 when > attempting to access the page. Is this functionality available in freeipa? When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting and passing the certificates from/to user. I think the Dogtag UI should be still somehow accessible, but is not the supported way. FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or via certmonger (man ipa-getcert) component that even renews the certificate. BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI related capabilities than older versions, for beginning Certificate Profiles, which are a must if you do not want to use just single fixed cert profile. More here: http://www.freeipa.org/page/Releases/4.2.0 Martin From dkupka at redhat.com Wed Sep 23 07:09:25 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 23 Sep 2015 09:09:25 +0200 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <56016D95.3080708@jmips.co.uk> References: <56016D95.3080708@jmips.co.uk> Message-ID: <56025025.9080609@redhat.com> On 22/09/15 17:02, James Masson wrote: > > Hi, > > we're building IPAs in an automated fashion, for environments that get > created and destroyed a lot. At the moment, the CA certs used inside > these IPAs are self-signed, as part of the normal "ipa-server-install" > setup process. > > We would like to switch to issuing signed intermediate CA certs to the > IPAs we deploy. > > The documentation lists the two part process necessary for this. First > "--external-ca" - and then "--external-cert-file" > > Are there any ways to skip this, and give the setup process a known > public/private key+cert up front? I'm hoping to avoid the need to have > to use/send this automatically generated CSR every time. > > thanks > > James M > Hello James, currently it's not possible but making installation with externally signed CA single step sounds really useful to me. Currently certmonger is generating the CSR for FreeIPA server in the first step of installation. Certmonger is also able to send certificate to external CA for signing. I'm not sure if we could combine these two cermonger's abilities right now but if not it shouldn't be difficult to add functionality to certmonger to send the CSR to preconfigured CA instead of just storing it in file. This would of course require configuring the certmonger with information about the CA before FreeIPA server installation but it's just one command (getcert-add-ca). Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? -- David Kupka From mkosek at redhat.com Wed Sep 23 07:14:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Sep 2015 09:14:06 +0200 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <1442945541.10697.129.camel@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <1442945541.10697.129.camel@redhat.com> Message-ID: <5602513E.8090505@redhat.com> On a related point to this note - Duncan, did you try to run your setup with RPM version of FreeIPA? FreeIPA 4.2 is included both in RHEL-7.2 Beta or in Fedora 23 Beta updates-testing repo, so you can try the latest and greatest version there and thus find out if the problems you are seeing are specific to the containerization or rather a general issue. On 09/22/2015 08:12 PM, Nathaniel McCallum wrote: > Running IPA in a container is very bleading edge. I would not be > surprised at all if you run into lots of problems. > > On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: >> Thanks Nathaniel, >> I am running with Jan's Centos-7 container and I'd like to have >> Multi-factor Authentication/2FA enabled. >> He mentioned that systemd is not running in the container, so I >> guess that explains why 2FA is failing. I wonder if I can get >> systemd running there. >> --Duncan >> >> >> Thanks >> --Duncan >> ____________________________ >> Duncan McNaught >> Infrastructure Engineer >> Technologies | www.bitnet.io >> +1 720 240 6575 >> >> On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum > t.com> wrote: >>> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: >>>> Dear freeipa-users, >>>> >>>> I'm having an issue with otp in freeipa. I can set up the >>> service as >>>> described in the blog post for TOTP or HOTP, and sync the token >>> fine. >>>> When I try to login to the admin tools or an ipa-managed client >>>> (with ) , I get a password incorrect message. >>>> Here are some more details: https://github.com/adelton/docker-fre >>> eipa >>>> /issues/34 >>>> Can anyone help me to debug/get this working? >>> >>> I'm very unclear as to what you are trying to do. Are you trying to >>> run FreeIPA in a container? If so, Jan is probably your man. AFAIK, >>> ipa-otpd will require systemd in the container. >>> >>> If you are trying to run this on CentOS 7.1 (not a container), it >>> seems to me that your LDAP server isn't running or something is >>> wrong >>> with ldapi. >>> >>> Can you explain your setup in more detail? >>> >>> Nathaniel >>> > From wdh at dds.nl Wed Sep 23 07:57:15 2015 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 23 Sep 2015 09:57:15 +0200 Subject: [Freeipa-users] sec_error_reused_issuer_and_serial In-Reply-To: <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> References: <20150921230649.28a30d74@ispx.vb.futz.org> <5600F9DC.5020905@redhat.com> <20150922073244.GB4459@redhat.com> <5601491D.5070706@dds.nl> <4ED173A868981548967B4FCA2707222628226302@AACMBXP04.exchserver.com> <20150923005919.GV16937@dhcp-40-8.bne.redhat.com> Message-ID: <56025B5B.3000709@dds.nl> Hi all, Including a "timestamp" when installing test servers like "ipa-server-install --subject 'O=IPA.LOCAL 201508311610'....." looks promising. I will try that! Kind regards, Winfried Op 23-09-15 om 02:59 schreef Fraser Tweedale: > On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote: >> The only way to get around it, because you are using the same >> domain name, is to use different browsers to visit each site. >> Firefox for sitea, chrome for siteb. >> > It is not the only way; you can flush your browser cache / offline > data for the site and cause the browswer to forget about the issuer. > Certainly with Firefox this is possible (I don't use Chromium). > > Or you can use separate Firefox profiles (again I am unsure if > Chromium has this feature) for the separate installations. > > Or for installations / experimentation, you can specify a different > "Organization" component of the root issuer DN when installing > FreeIPA. I include a "timestamp" when installing test servers: > > ipa-server-install --subject 'O=IPA.LOCAL 201508311610' > > Hope that helps! > Fraser > >> It's got to do with the fact that the Parent certificate name (generated automatically during install) is the same on both and because the domain matches then firefox throws the ssl warning. >> >> I have the same thing in my environments for production and dr where the domain name is the same in both. >> >> Regards, >> >> Les >> >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de Heiden >> Sent: Tuesday, 22 September 2015 10:27 PM >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] sec_error_reused_issuer_and_serial >> >> Hi all, >> >> Playing around with freeipa on Fedora 22 after installing I cannot access the UI. Firefox will tell "sec_error_reused_issuer_and_serial". >> >> I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be a conflict in the certificates. After using a different domain name all goes well. >> >> I want to test and try a few things on a test Freeipa server using the same domain name. Deleting all certicates in Firefox or even trying a new and clean profile did not help. How can I avoid this conflict? >> >> Winfried >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From mlasevich at gmail.com Wed Sep 23 08:35:32 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 01:35:32 -0700 Subject: [Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch Message-ID: Ok, I just went through process of migrating our IPA setup from 4.1.2 running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek Copr version) and run into a nasty bug. The replica-install crashes during CA configuration with something like: ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpXXXXXX'' returned non-zero exit status 1 Skipping CA works, but I needed the CA. Upon digging into this, I found the issue appears to be in pki python, in file: /usr/lib/python2.7/site-packages/pki/system.py It looks like it makes a call to "/ca/rest/securityDomain/domainInfo" and gets an XML doc which it converts to JSON. Somehow it gets mangled before it looks at it. XML has outermost tag of "DomainInfo" - but JSON starts with "Subsystem" (one layer lower) - I am guessing JSON converted strips the "root" tag. I bypassed this by hardcoding id as "IPA" - but obviously that is sub-optimal Looking at Fedora box, it looks like the difference is in the version of PKI package that provides the lib - on Centos you get pki-base 10.1.2 (pki-base-10.1.2-7.1.el7.centos.noarch) - while on Fedore it was a 10.2 branch (and significantly different content in that file) Anyway, I saw some reports of this bug in searches and no answers - so I figured I would offer this pointer in (hopefully) the right direction. -M -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Sep 23 08:51:54 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Sep 2015 10:51:54 +0200 Subject: [Freeipa-users] [Import existing CA Cert] In-Reply-To: <56025D66.4050800@elegosoft.com> References: <56013076.6010801@elegosoft.com> <56024FB3.2060009@redhat.com> <56025D66.4050800@elegosoft.com> Message-ID: <5602682A.8000807@redhat.com> On 09/23/2015 10:05 AM, Michael Anderson wrote: > Hi Martin, > > thanks for your reply. > > On 09/23/2015 09:07 AM, Martin Kosek wrote: >> On 09/22/2015 12:41 PM, Michael Anderson wrote: >>> Hi All, >>> >>> we're evaluation freeipa/dogtag as a pki management service and hoping to >>> replace our existing menagerie of bash/openssl scripts. I'm trying to establish >>> a migration path for our existing pki solution and have a few questions: >> Hi Michael, >> >> Before you continue with the project, please keep in mind that FreeIPA PKI >> capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. >> It does not allow you to generate completely random certificates (at the >> moment). > > Does that mean that I can only generate certificates for hosts running the > client software? Well, you need at least the host object in FreeIPA, to be able to generate certificate for it. It does not need to be effectively used. > What I'd really like to be able to do is automate Apache/Nginx > SSL cert generation for our dev/continuous-delivery infrastructure. So I'd like > to have two or three signing CA's for dev, staging and prod and automate CSR > creation, signing and deployment. Is this feasible with freeipa? So the requirement here is to have different Sub-CA for these environments? FreeIPA 4.2 cannot do Sub-CAs yet, this is work proposed for next release: https://fedorahosted.org/freeipa/ticket/4559 BTW, this is how you can request renewable certificates for HTTP with FreeIPA: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger >>> '* how can I import and use our existing CA signing cert? >>> * can I import existing server certs and keys? >> Could you create FreeIPA server CA as subordinate CA to your current CA? To me, >> it seems the easiest way as I do not think we have some nice CLIs to inject >> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they >> have an idea. >> >> More here: >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell > > With my current project I'll be rebuilding a lot of stuff, so starting fresh > with a new freeipa-generated signing cert won't be such a problem. That said, > it seems to me that the ability to import and use an existing signing cert > would lower the adoption threshold for new users. My point was that if FreeIPA is a subordinate CA, it should be still trusted by your clients that would have already imported it's CA certificate. >>> * I'm using Fedora22. When I install dogtag-pki, the user page for submitting >>> csr's is available. But when I install the freeipa package, I get a 404 when >>> attempting to access the page. Is this functionality available in freeipa? >> When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting >> and passing the certificates from/to user. I think the Dogtag UI should be >> still somehow accessible, but is not the supported way. >> >> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or >> via certmonger (man ipa-getcert) component that even renews the certificate. >> >> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI >> related capabilities than older versions, for beginning Certificate Profiles, >> which are a must if you do not want to use just single fixed cert profile. > > I'm using the version packaged with Fedora 22, 4.1.4 Ok. If you want to try the new FreeIPA 4.2 with Certificate Profiles on Fedora 22, there should be a COPR repo also: https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/ >> More here: >> http://www.freeipa.org/page/Releases/4.2.0 >> >> Martin > From mlasevich at gmail.com Wed Sep 23 09:00:29 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 02:00:29 -0700 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? Message-ID: OK, this is most bizarre issue, I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and for the life of me cannot get it to work I have followed many nearly identical instructions to create ldif file and change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough - and I get it to take, and during the startup I can see the right SSL Cipher Suites listed in errors.log - but when it starts and I probe it, RC4 ciphers are still there. I am completely confused. I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") and to old style cyphers lists(lowercase), and new style cypher lists(uppercase), and nothing seems to make any difference. Any ideas? -M -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Wed Sep 23 09:18:47 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Wed, 23 Sep 2015 12:48:47 +0330 Subject: [Freeipa-users] sudo not work in linux Message-ID: hi i have centos 6.7 (ipa server) and i have centos 6.5 (client) i can not sudo on client i add rule sudo on ipa i config file sss.conf +++++++ [domain/l.infotechpsp.net] debug_level = 6 #cache_credentials = True #krb5_store_password_if_offline = True ipa_domain = l.infotechpsp.net id_provider = ipa #auth_provider = ipa #access_provider = ipa #ipa_hostname = switchlive.l.infotechpsp.net #chpass_provider = ipa ipa_server = _srv_, ipasrv.l.infotechpsp.net ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri =ldap://ipasrv.l.infotechpsp.net ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net ldap_sasl_realm = L.INFOTECHPSP.NET krb5_server = ipasrv.l.infotechpsp.net [sssd] config_file_version = 2 # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 # If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam, ssh, sudo domains = l.infotechpsp.net [nss] [pam] +++++++ in file nsswitch.conf add sudoers: files sss and log file /var/log/sss/sss_l..... +++++ (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [be_resolve_server_process] (0x0200): Found address for server ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_L.INFOTECHPSP.NET], expired on [1443085132] (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ ussd7rep.l.infotechpsp.net (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [child_sig_handler] (0x0100): child [12755] finished successfully. (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' ipasrv.l.infotechpsp.net' as 'working' (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [set_server_common_status] (0x0100): Marking server ' ipasrv.l.infotechpsp.net' as 'working' (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= ussd7rep.l.infotechpsp.net )(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost= 10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net ]. (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo rules +++++ -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Wed Sep 23 09:32:43 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 23 Sep 2015 11:32:43 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Guys, Please keep this topic updated as many people seem to have this question. What's the status at your side ? Cheers, Matt 2015-09-04 15:27 GMT+02:00 Matt . : > Hi, > > Does everyone have this working or gived up on it ? > > Chers, > > Matt > > 2015-08-26 20:07 GMT+02:00 Matt . : >> Chris, >> >> How far are you on this ? I'm stuck atm :( >> >> I hope you have some reference notes to follow and check out. >> >> Thanks! >> >> Matt >> >> 2015-08-20 22:15 GMT+02:00 Matt . : >>> Hi Chris, >>> >>> Would be great to see! >>> >>> If I have it working and we have 2-3 testcases I think we can add it >>> to the IPA docs! >>> >>> Keep me updated! >>> >>> Thanks >>> >>> Matt >>> >>> 2015-08-20 8:49 GMT+02:00 Christopher Lamb : >>>> Matt >>>> >>>> Once I got Samba and FreeIPA integrated (by the "good old extensions" >>>> path), I always use FreeIPA to administer users. I have never tried the >>>> samba tools like smbpasswd. >>>> >>>> I still have a wiki how-to in the works, but I had to focus on some other >>>> issues for a while. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Youenn PIOLET >>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> "freeipa-users at redhat.com" >>>> Date: 20.08.2015 08:12 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> >>>> >>>> >>>> HI Guys, >>>> >>>> Anyone still a working clue/test here ? >>>> >>>> I didn't came further as it seems there need to be some domain join / >>>> match following the freeipa devs. >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> 2015-08-13 13:09 GMT+02:00 Matt . : >>>>> Hi, >>>>> >>>>> I might have found somthing which I already seen in the logs. >>>>> >>>>> I did a smbpasswd my username on the samba server, it connects to ldap >>>>> very well. I give my new password and get the following: >>>>> >>>>> smbldap_search_ext: base => [dc=my,dc=domain], filter => >>>>> [(&(objectClass=ipaNTGroupAttrs)(| >>>> (ipaNTSecurityIdentifier=S-1----my--sid---)))], >>>>> scope => [2] >>>>> Attribute [displayName] not found. >>>>> Could not retrieve 'displayName' attribute from cn=Default SMB >>>>> Group,cn=groups,cn=accounts,dc=my,dc=domain >>>>> Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) >>>>> >>>>> So something is missing! >>>>> >>>>> Thanks so far guys! >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-08-13 12:02 GMT+02:00 Matt . : >>>>>> Hi Youenn, >>>>>> >>>>>> OK thanks! this takes me a little but futher now and I see some good >>>>>> stuff in my logging. >>>>>> >>>>>> I'm testing on a Windows 10 Machine which is not member of an AD or >>>>>> so, so that might be my issue for now ? >>>>>> >>>>>> When testing on the samba box itself as my user I get: >>>>>> >>>>>> >>>>>> [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares >>>>>> >>>>>> ... >>>>>> Checking NTLMSSP password for MSP\myusername failed: >>>> NT_STATUS_WRONG_PASSWORD >>>>>> ... >>>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >>>>>> >>>>>> >>>>>> Maybe I have an issue with encrypted passwords ? >>>>>> >>>>>> >>>>>> When we have this all working, I think we have a howto :D >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>>>>>> Hi Matt >>>>>>> >>>>>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>>>>>> sambaSamAccount is not needed anymore that way. >>>>>>> - Default IPA Way : won't work if your Windows is not part of a domain >>>>>>> controller. DOMAIN\username may work for some users using Windows 7 - >>>> not 8 >>>>>>> nor 10 (it did for me but I was the only one at the office... quite >>>> useless) >>>>>>> >>>>>>> This config may work on your CentOS (for the ipasam way): >>>>>>> workgroup = TEST >>>>>>> realm = TEST.NET >>>>>>> kerberos method = dedicated keytab >>>>>>> dedicated keytab file = FILE:/<.....>/samba.keytab >>>>>>> create krb5 conf = no >>>>>>> security = user >>>>>>> encrypt passwords = true >>>>>>> passdb backend = ipasam:ldaps://youripa.test.net >>>>>>> ldapsam:trusted = yes >>>>>>> ldapsuffix = test.net >>>>>>> ldap user suffix = cn=users,cn=accounts >>>>>>> ldap group suffix = cn=groups,cn=accounts >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Youenn Piolet >>>>>>> piolet.y at gmail.com >>>>>>> >>>>>>> >>>>>>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> OK the default IPA way works great actually when testing it as >>>> described >>>>>>>> here: >>>>>>>> >>>>>>>> >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>> >>>>>>>> On the samba server I can auth and see my share where I want to >>>> connect >>>>>>>> to. >>>>>>>> >>>>>>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>>>>>> as username >>>>>>>> >>>>>>>> So, the IPA way should work. >>>>>>>> >>>>>>>> Any comments here ? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>>>>>> > HI GUys, >>>>>>>> > >>>>>>>> > I'm testing this out and I think I almost setup, this on a CentOS >>>> samba >>>>>>>> > server. >>>>>>>> > >>>>>>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need >>>> to >>>>>>>> > add (objectclass=sambaSamAccount)) ? >>>>>>>> > >>>>>>>> > Info is welcome! >>>>>>>> > >>>>>>>> > I will report back when I have it working. >>>>>>>> > >>>>>>>> > Thanks! >>>>>>>> > >>>>>>>> > Matt >>>>>>>> > >>>>>>>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>>>>>>> > : >>>>>>>> >> The next route I will try - is the one Youeen took, using >>>> ipa-adtrust >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> From: "Matt ." >>>>>>>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >> "freeipa-users at redhat.com" >>>>>>>> >> Date: 10.08.2015 10:03 >>>>>>>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>>>> >> IPA >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> Hi Chris, >>>>>>>> >> >>>>>>>> >> Okay this is good to hear. >>>>>>>> >> >>>>>>>> >> But don't we want a IPA managed Scheme ? >>>>>>>> >> >>>>>>>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a >>>> local >>>>>>>> >> installed Samba and I wonder why. >>>>>>>> >> >>>>>>>> >> Good that we make some progres on making it all clear. >>>>>>>> >> >>>>>>>> >> Cheers, >>>>>>>> >> >>>>>>>> >> Matt >>>>>>>> >> >>>>>>>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>>>>>>> >> : >>>>>>>> >>> ldapsam + the samba extensions, pretty much as described in the >>>>>>>> >> Techslaves >>>>>>>> >>> article. Once I have a draft for the wiki page, I will mail you. >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> From: "Matt ." >>>>>>>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >>> "freeipa-users at redhat.com" >>>>>>>> >>> Date: 09.08.2015 21:17 >>>>>>>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>>>> >>> IPA >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Hi, >>>>>>>> >>> >>>>>>>> >>> Yes I know about "anything" but which way did you use now ? >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>>>>>>> >> : >>>>>>>> >>>> Hi Matt >>>>>>>> >>>> >>>>>>>> >>>> I am on OEL 7.1. - so anything that works on that should be good >>>> for >>>>>>>> >> RHEL >>>>>>>> >>>> and Centos 7.x >>>>>>>> >>>> >>>>>>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few >>>> days. >>>>>>>> >>>> As >>>>>>>> >>> we >>>>>>>> >>>> have suggested earlier, we will likely end up with several, one >>>> for >>>>>>>> >>>> each >>>>>>>> >>> of >>>>>>>> >>>> the possible integration paths. >>>>>>>> >>>> >>>>>>>> >>>> Chris >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> From: "Matt ." >>>>>>>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >>>> "freeipa-users at redhat.com" >>>>>>>> >>>> Date: 09.08.2015 16:45 >>>>>>>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>>>> >>>> IPA >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> Hi Chris, >>>>>>>> >>>> >>>>>>>> >>>> This sounds great! >>>>>>>> >>>> >>>>>>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>>>>>> >>>> >>>>>>>> >>>> Maybe it's good to explain which way you used now in steps too, >>>> so we >>>>>>>> >>>> can combine or create multiple howto's ? >>>>>>>> >>>> >>>>>>>> >>>> At least we are going somewhere! >>>>>>>> >>>> >>>>>>>> >>>> Thanks, >>>>>>>> >>>> >>>>>>>> >>>> Matt >>>>>>>> >>>> >>>>>>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>>>>>>> >>> : >>>>>>>> >>>>> Hi Matt >>>>>>>> >>>>> >>>>>>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good >>>> old >>>>>>>> >>> Samba >>>>>>>> >>>>> Schema extensions) is up and working, almost flawlessly. >>>>>>>> >>>>> >>>>>>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>>>>>>> >> correct >>>>>>>> >>>>> ObjectClasses / attributes required for Samba. >>>>>>>> >>>>> >>>>>>>> >>>>> So far I have not yet bothered to try the extensions to the >>>> WebUI, >>>>>>>> >>>> because >>>>>>>> >>>>> it is currently giving me the classic "Your session has expired. >>>>>>>> >>>>> Please >>>>>>>> >>>>> re-login." error which renders the WebUI useless. >>>>>>>> >>>>> >>>>>>>> >>>>> The only problem I have so far encountered managing Samba / >>>> FreeIPA >>>>>>>> >>> users >>>>>>>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>>>>>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>>>>>>> >> updated >>>>>>>> >>>>> today. >>>>>>>> >>>>> >>>>>>>> >>>>> There is also an existing alternative to hacking group.py, using >>>>>>>> >>>>> "Class >>>>>>>> >>>> of >>>>>>>> >>>>> Service" (Cos) documented in this thread from February 2015 >>>>>>>> >>>>> >>>>>>>> >>> >>>>>>>> >>> >>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>>>>>> >>>> . >>>>>>>> >>>>> I have not yet tried it, but it sounds reasonable. >>>>>>>> >>>>> >>>>>>>> >>>>> Chris >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> From: "Matt ." >>>>>>>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> >>>>> Cc: "freeipa-users at redhat.com" , >>>>>>>> >>>>> Youenn >>>>>>>> >>>>> PIOLET >>>>>>>> >>>>> Date: 06.08.2015 16:19 >>>>>>>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>>>> >> IPA >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> Hi Chris, >>>>>>>> >>>>> >>>>>>>> >>>>> OK, than we might create two different versions of the wiki, I >>>> think >>>>>>>> >>>>> this is nice. >>>>>>>> >>>>> >>>>>>>> >>>>> I'm still figuring out why I get that: >>>>>>>> >>>>> >>>>>>>> >>>>> IPA Error 4205: ObjectclassViolation >>>>>>>> >>>>> >>>>>>>> >>>>> missing attribute "sambaGroupType" required by object class >>>>>>>> >>>>> "sambaGroupMapping" >>>>>>>> >>>>> >>>>>>>> >>>>> Matt >>>>>>>> >>>>> >>>>>>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>>>>>> >>>> : >>>>>>>> >>>>>> Hi Matt >>>>>>>> >>>>>> >>>>>>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>>>>>>> >>>>>> FreeIPA >>>>>>>> >>>>>> integration paths. >>>>>>>> >>>>>> >>>>>>>> >>>>>> The route I took is suited where there is no Active Directory >>>>>>>> >> involved: >>>>>>>> >>>>> In >>>>>>>> >>>>>> my case all the Windows, OSX and Linux clients are islands that >>>> sit >>>>>>>> >>>>>> on >>>>>>>> >>>>> the >>>>>>>> >>>>>> same network. >>>>>>>> >>>>>> >>>>>>>> >>>>>> The route that Youenn has taken (unless I have got completely >>>> the >>>>>>>> >> wrong >>>>>>>> >>>>> end >>>>>>>> >>>>>> of the stick) requires Active Directory in the architecture. >>>>>>>> >>>>>> >>>>>>>> >>>>>> Chris >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> From: "Matt ." >>>>>>>> >>>>>> To: Youenn PIOLET >>>>>>>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >>>>>> "freeipa-users at redhat.com" >>>> >>>>>>>> >>>>>> Date: 06.08.2015 14:42 >>>>>>>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>>> >>>>>> against >>>>>>>> >>> IPA >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> Hi, >>>>>>>> >>>>>> >>>>>>>> >>>>>> OK, this sounds already quite logical, but I'm still refering >>>> to >>>>>>>> >>>>>> the >>>>>>>> >>>>>> old howto we found earlier, does that one still apply somewhere >>>> or >>>>>>>> >>>>>> not >>>>>>>> >>>>>> at all ? >>>>>>>> >>>>>> >>>>>>>> >>>>>> Thanks, >>>>>>>> >>>>>> >>>>>>>> >>>>>> Matt >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>>>>> >>>>>>> Hey guys, >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush >>>> these >>>>>>>> >>>>> days :) >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> General idea: >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> On FreeIPA (4.1) >>>>>>>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>>>>>>> >>>>>>> ipaNTsecurityidentifier >>>>>>>> >>>>>>> attribude, also known as SID) >>>>>>>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, >>>> not >>>>>>>> >> here >>>>>>>> >>>>> by >>>>>>>> >>>>>>> default on users >>>>>>>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on >>>> user >>>>>>>> >>>>>> objects >>>>>>>> >>>>>>> - create a CIFS service for your samba server >>>>>>>> >>>>>>> - Create user roles/permissions as described here: >>>>>>>> >>>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>> >>>>>>>> >>>> >>>>>>>> >>> >>>>>>>> >> >>>>>>>> >> >>>> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >>>>>>>> >> >>>>>>>> >>> >>>>>>>> >>>> >>>>>>>> >>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>>> so that CIFS service will be able to read >>>> ipaNTsecurityidentifier >>>>>>>> >>>>>>> and >>>>>>>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>>>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>>>>>>> >> trick) : >>>>>>>> >>>>>> scp >>>>>>>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>>>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also >>>> try to >>>>>>>> >>>>>> recompile >>>>>>>> >>>>>>> it. >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>>>>>> >>>>>>> - Install server keytab file for CIFS >>>>>>>> >>>>>>> - check ipasam.so is here. >>>>>>>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>>>>>>> >>>>>>> GSSAPI >>>>>>>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>>>> >>>>>>> - make your smb.conf following the linked thread and restart >>>>>>>> >>>>>>> service >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>>>>>>> >>>>>>> quickly >>>>>>>> >>> and >>>>>>>> >>>>>>> ipasam may use quite recent functionalities, the best is to >>>> just >>>>>>>> >>>>>>> try. >>>>>>>> >>>>> You >>>>>>>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you >>>> need to >>>>>>>> >> get >>>>>>>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> You may want to debug authentication on samba server, I >>>> usually do >>>>>>>> >>>> this: >>>>>>>> >>>>>>> `tail -f /var/log/samba/log* | grep >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> Cheers >>>>>>>> >>>>>>> -- >>>>>>>> >>>>>>> Youenn Piolet >>>>>>>> >>>>>>> piolet.y at gmail.com >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> This sounds great to me too, but a howto would help to make >>>> it >>>>>>>> >>>>>>>> more >>>>>>>> >>>>>>>> clear about what you have done here. The thread confuses me a >>>>>>>> >>>>>>>> little >>>>>>>> >>>>>>>> bit. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Can you paste your commands so we can test out too and report >>>>>>>> >>>>>>>> back ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>>>>> >>>>>> : >>>>>>>> >>>>>>>> > Hi Youenn >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Good news that you have got an integration working >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Now you have got it going, and the solution is fresh in >>>> your >>>>>>>> >>>>>>>> > mind, >>>>>>>> >>>>> how >>>>>>>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>>>>>>> >>>>>>>> > wiki? >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Chris >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > From: Youenn PIOLET >>>>>>>> >>>>>>>> > To: "Matt ." >>>>>>>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >>>>>>>> > "freeipa-users at redhat.com" >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Date: 05.08.2015 14:51 >>>>>>>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> Auth >>>>>>>> >>> against >>>>>>>> >>>>>> IPA >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Hi guys, >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Thank you so much your previous answers. >>>>>>>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>>>>>>> >>>>>>>> > thanks >>>>>>>> >> to >>>>>>>> >>>>>>>> > ipa-adtrust-install --add-sids >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > I found an other way to configure smb here: >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>> >>>>>>>> >>>>> >>>>>>>> >>>> >>>>>>>> >>> >>>>>>>> >> >>>>>>>> >> >>>> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >>>>>>>> >> >>>>>>>> >>> >>>>>>>> >>>> >>>>>>>> >>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>>>> > It works perfectly. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>>>>>>> >> server, >>>>>>>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam >>>> module. >>>>>>>> >>>>>>>> > Following the instructions, I created a user role allowing >>>>>>>> >>>>>>>> > service >>>>>>>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>>> >>>>>>>> > ipaNTHash are generated each time a user changes his >>>> password. >>>>>>>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > For more details, the previously linked thread is quite >>>> clear. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Cheers >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > -- >>>>>>>> >>>>>>>> > Youenn Piolet >>>>>>>> >>>>>>>> > piolet.y at gmail.com >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>>>> >>>>>>>> > Hi Chris. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>>>>>>> >>>>>>>> > complained >>>>>>>> >>>> it >>>>>>>> >>>>>>>> > was "already" there. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > I'm still getting: >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > missing attribute "sambaGroupType" required by object >>>> class >>>>>>>> >>>>>>>> > "sambaGroupMapping" >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > When adding a user. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > I also see "class" as fielname under my "Last name", this >>>> is >>>>>>>> >>>>>>>> > not >>>>>>>> >>>> OK >>>>>>>> >>>>>>>> > also. >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>>>>>>> >> down :) >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Thanks for the heads up! >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > Matthijs >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>>> >>>>>>>> > : >>>>>>>> >>>>>>>> > > Hi Matt >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>>>>> >>>>>> ipaCustomFields >>>>>>>> >>>>>>>> > to >>>>>>>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a >>>> modify, >>>>>>>> >>>>>>>> > as >>>>>>>> >>>>>> shown >>>>>>>> >>>>>>>> > below: >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > #!RESULT OK >>>>>>>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>>> >>>>>>>> > > dn: >>>> cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>>> >>>>>>>> > > changetype: modify >>>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > After that I then have a visible attribute >>>> ipaCustomFields >>>>>>>> >>>>>>>> > as >>>>>>>> >>>>>>>> > expected. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > When adding the attribute, the wizard offered me >>>>>>>> >>>>> "ipaCustomFields" >>>>>>>> >>>>>>>> > as >>>>>>>> >>>>>>>> > > attribute type in a drop down list. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Once we get this cracked, we really must write a how-to >>>> on >>>>>>>> >>>>>>>> > the >>>>>>>> >>>>>>>> > FreeIPA >>>>>>>> >>>>>>>> > > Wiki. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Chris >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> >>>>>>>> > > To: "Matt ." >>>>>>>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > > Date: 05.08.2015 07:31 >>>>>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>>>>> >>>>>>>> > Auth >>>>>>>> >>>>>> against >>>>>>>> >>>>>>>> > IPA >>>>>>>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Hi Matt >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > I also got the same result at that step, but can see >>>>>>>> >>>>>>>> > nothing >>>>>>>> >> in >>>>>>>> >>>>>>>> > Apache >>>>>>>> >>>>>>>> > > Directory Studio. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>>>>>>> >>>>>>>> > across, >>>>>>>> >>>>>> they >>>>>>>> >>>>>>>> > > probably were migrated with all the required >>>> attributes. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it >>>> not >>>>>>>> >>>>>>>> > be: >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> >>>>>>>> > > changetype: modify >>>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> >>>>>>>> > > EOF >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > I don't want to play around with my prod directory - I >>>> will >>>>>>>> >>>> setup >>>>>>>> >>>>>> an >>>>>>>> >>>>>>>> > EL >>>>>>>> >>>>>>>> > 7.1 >>>>>>>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will >>>> allow me >>>>>>>> >>>>>>>> > to >>>>>>>> >>>>>> play >>>>>>>> >>>>>>>> > around >>>>>>>> >>>>>>>> > > more destructively. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Chris >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > From: "Matt ." >>>>>>>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> >>>>>>>> > > Cc: Youenn PIOLET , " >>>>>>>> >>>>>>>> > freeipa-users at redhat.com" >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Date: 05.08.2015 01:01 >>>>>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu >>>> Samba >>>>>>>> >>> Server >>>>>>>> >>>>>>>> > Auth >>>>>>>> >>>>>>>> > against IPA >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Hi Chris, >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > I'm at the right path, but my issue is that: >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> >>>>>>>> > > changetype: add >>>>>>>> >>>>>>>> > > add: ipaCustomFields >>>>>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> >>>>>>>> > > EOF >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, >>>> and >>>>>>>> >>>>>>>> > when >>>>>>>> >>> I >>>>>>>> >>>>>> add >>>>>>>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>>>>>>> >>>>>>>> > user >>>>>>>> >> on >>>>>>>> >>>>>> this >>>>>>>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > So that is my issue I think so far. >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Any clue about that ? >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > No problem "you don't know something or are no guru" we >>>> are >>>>>>>> >> all >>>>>>>> >>>>>>>> > > learning! :) >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Cheers, >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > Matt >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>>>>>> >>>>>>>> > >> Hi Matt, Youeen >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Just to set the background properly, I did not invent >>>> this >>>>>>>> >>>>>> process. >>>>>>>> >>>>>>>> > I >>>>>>>> >>>>>>>> > > know >>>>>>>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>>>>>>> >>>>>>>> > Samba, >>>>>>>> >>>> but >>>>>>>> >>>>>> I >>>>>>>> >>>>>>>> > guess >>>>>>>> >>>>>>>> > > I >>>>>>>> >>>>>>>> > >> was lucky enough to get the integration working on a >>>>>>>> >>>>>>>> > Sunday >>>>>>>> >>>>>>>> > afternoon. >>>>>>>> >>>>>>>> > (I >>>>>>>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation >>>> as >>>>>>>> >>>>>>>> > a >>>>>>>> >>>>>>>> > reference). >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> It sounds like we need to step back, and look at the >>>> test >>>>>>>> >> user >>>>>>>> >>>>>> and >>>>>>>> >>>>>>>> > group >>>>>>>> >>>>>>>> > > in >>>>>>>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser >>>> makes >>>>>>>> >> this >>>>>>>> >>>>>> much >>>>>>>> >>>>>>>> > > easier. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>>>>>>> >>>>>>>> > extensions >>>>>>>> >>> in >>>>>>>> >>>>>>>> > FreeIPA >>>>>>>> >>>>>>>> > >> (cn=accounts, cn=users): >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> * objectClass: sambasamaccount >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, >>>> sambaPwdLastSet >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>>>>>>> >>>>>>>> > extensions >>>>>>>> >>>> in >>>>>>>> >>>>>>>> > FreeIPA >>>>>>>> >>>>>>>> > >> (cn=accounts, cn=groups): >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> The Users must belong to one or more of the samba >>>> groups >>>>>>>> >>>>>>>> > that >>>>>>>> >>>>> you >>>>>>>> >>>>>>>> > have >>>>>>>> >>>>>>>> > >> setup. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> If you don't have something similar to the above >>>> (which >>>>>>>> >> sounds >>>>>>>> >>>>>> like >>>>>>>> >>>>>>>> > it >>>>>>>> >>>>>>>> > is >>>>>>>> >>>>>>>> > >> the case), then something went wrong applying the >>>>>>>> >>>>>>>> > extensions. >>>>>>>> >>>> It >>>>>>>> >>>>>>>> > would >>>>>>>> >>>>>>>> > be >>>>>>>> >>>>>>>> > >> worth testing comparing a new user / group created >>>> post >>>>>>>> >> adding >>>>>>>> >>>>>> the >>>>>>>> >>>>>>>> > >> extensions to a previous existing user. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> i.e. >>>>>>>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>>> >>>>>>>> > >> are the extensions missing on new users / groups? >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Cheers >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Chris >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> From: Youenn PIOLET >>>>>>>> >>>>>>>> > >> To: "Matt ." >>>>>>>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> >>>>>>>> > >> "freeipa-users at redhat.com" >>>>>>>> >>>>> >>>>>>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>>>>>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>> Server >>>>>>>> >>>>>>>> > Auth >>>>>>>> >>>>>>>> > against >>>>>>>> >>>>>>>> > IPA >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Hi there, >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>>> >>>>>>>> > >> Here is what I've done and what I've understood: >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> ## SMB Side >>>>>>>> >>>>>>>> > >> - Testparm OK >>>>>>>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try >>>> to >>>>>>>> >>>>> connect. >>>>>>>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>>>>>>> >>>>>>>> > there >>>>>>>> >> is >>>>>>>> >>>> a >>>>>>>> >>>>>>>> > filter : >>>>>>>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the >>>> users >>>>>>>> >>>> don't >>>>>>>> >>>>>>>> > have >>>>>>>> >>>>>>>> > >> sambaSamAccount. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> ## LDAP / FreeIPA side >>>>>>>> >>>>>>>> > >> - Since SMB server uses LDAP, I did >>>> ipa-adtrust-install on >>>>>>>> >>>>>>>> > my >>>>>>>> >>>>>>>> > FreeIPA >>>>>>>> >>>>>>>> > >> server to get samba LDAP extensions. >>>>>>>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not >>>> used >>>>>>>> >>>>>>>> > on >>>>>>>> >> my >>>>>>>> >>>>>>>> > group >>>>>>>> >>>>>>>> > >> objects nor my user objects >>>>>>>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>>>>>>> >>>>>>>> > classes, >>>>>>>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In >>>> that >>>>>>>> >>>>>>>> > state >>>>>>>> >>> I >>>>>>>> >>>>>>>> > can't >>>>>>>> >>>>>>>> > >> create user nor groups anymore, as new samba >>>> attributes >>>>>>>> >>>>>>>> > are >>>>>>>> >>>>>> needed >>>>>>>> >>>>>>>> > for >>>>>>>> >>>>>>>> > >> instantiation. >>>>>>>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>>> >>>>>>>> > > Type,sambagrouptype,true' >>>>>>>> >>>>>>>> > >> but I don't get what it does. >>>>>>>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and >>>> adds >>>>>>>> >>>>>>>> > the >>>>>>>> >>>>>>>> > "local" >>>>>>>> >>>>>>>> > > option >>>>>>>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>>>>>> >>>> sambagrouptype >>>>>>>> >>>>>> to >>>>>>>> >>>>>>>> > 4 >>>>>>>> >>>>>>>> > or >>>>>>>> >>>>>>>> > > 2 >>>>>>>> >>>>>>>> > >> (domain). It doesn't work and tells that >>>> sambagrouptype >>>>>>>> >>>>> attribute >>>>>>>> >>>>>>>> > doesn't >>>>>>>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>>>>> >>>>>> default...) >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> ## Questions >>>>>>>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and >>>> use >>>>>>>> >>> unix / >>>>>>>> >>>>>>>> > posix >>>>>>>> >>>>>>>> > >> instead? I guess no. >>>>>>>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>>>>>>> >>>>>>>> > requested >>>>>>>> >> to >>>>>>>> >>>>>> add >>>>>>>> >>>>>>>> > >> sambaSamAccount classes. >>>>>>>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>>>>>>> >>>>>>>> > domain >>>>>>>> >>>>>>>> > controller >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>> >>>>>>>> >>>>> >>>>>>>> >>>> >>>>>>>> >>> >>>>>>>> >> >>>>>>>> >> >>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >> and netgetlocalsid returns an error. >>>>>>>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for >>>> user >>>>>>>> >>>>> creation, >>>>>>>> >>>>>>>> > where >>>>>>>> >>>>>>>> > > can >>>>>>>> >>>>>>>> > >> I find it? >>>>>>>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 >>>> and >>>>>>>> >>>>>>>> > not >>>>>>>> >>>>> only >>>>>>>> >>>>>>>> > Windows >>>>>>>> >>>>>>>> > >> 7? >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> -- >>>>>>>> >>>>>>>> > >> Youenn Piolet >>>>>>>> >>>>>>>> > >> piolet.y at gmail.com >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>>>>>>> >>>>>>>> > : >>>>>>>> >>>>>>>> > >> Hi, >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Yes, log is anonymised. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> It's strange, my user doesn't have a >>>> SambaPwdLastSet, >>>>>>>> >>>>>>>> > also >>>>>>>> >>>>> when >>>>>>>> >>>>>> I >>>>>>>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> There must be something going wrong I guess. >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> Matt >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>>> >>>>>>>> > > >>>>>>> >>>>>>>> > >> >: >>>>>>>> >>>>>>>> > >> > Hi Matt >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > I assume [username] is a real username, identical >>>> to >>>>>>>> >>>>>>>> > that >>>>>>>> >>>> in >>>>>>>> >>>>>>>> > the >>>>>>>> >>>>>>>> > >> FreeIPA >>>>>>>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised >>>> the >>>>>>>> >>>>>>>> > log >>>>>>>> >>>>>>>> > extract). >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > You user should be a member of the appropriate >>>> samba >>>>>>>> >>> groups >>>>>>>> >>>>>>>> > that >>>>>>>> >>>>>>>> > you >>>>>>>> >>>>>>>> > >> setup >>>>>>>> >>>>>>>> > >> > in FreeIPA. >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > You should check that the user attribute >>>>>>>> >>>>>>>> > SambaPwdLastSet >>>>>>>> >>> is >>>>>>>> >>>>>> set >>>>>>>> >>>>>>>> > to >>>>>>>> >>>>>>>> > a >>>>>>>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error >>>> in >>>>>>>> >>>>>>>> > the >>>>>>>> >>>>> Samba >>>>>>>> >>>>>>>> > logs >>>>>>>> >>>>>>>> > - >>>>>>>> >>>>>>>> > > I >>>>>>>> >>>>>>>> > >> > would need to play around again with a test user >>>> to >>>>>>>> >>>>>>>> > find >>>>>>>> >>>> out >>>>>>>> >>>>>>>> > the >>>>>>>> >>>>>>>> > > exact >>>>>>>> >>>>>>>> > >> > error. >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>>>>>>> >>>>>>>> > users >>>>>>>> >>>>>> local, >>>>>>>> >>>>>>>> > but >>>>>>>> >>>>>>>> > > we >>>>>>>> >>>>>>>> > >> did >>>>>>>> >>>>>>>> > >> > not need to do anything like that. >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > Chris >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > From: "Matt ." >>>>>>>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>>>>>> >>>>> >>>>>>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>>>>>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>>>>>>> >>>>>>>> > Server >>>>>>>> >>>> Auth >>>>>>>> >>>>>>>> > against >>>>>>>> >>>>>>>> > >> IPA >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > Hi Chris, >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > A puppet run added another passdb backend, that >>>> was >>>>>>>> >>> causing >>>>>>>> >>>>>> my >>>>>>>> >>>>>>>> > issue. >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > What I still experience is: >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399 >>>> (check_sam_security) >>>>>>>> >>>>>>>> > >> > check_sam_security: Couldn't find user >>>> 'username' in >>>>>>>> >>>>>> passdb. >>>>>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>>> >>>>>>>> > >> > ../source3/auth/auth.c:288 >>>> (auth_check_ntlm_password) >>>>>>>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>>>>>>> >> [username] >>>>>>>> >>>>> -> >>>>>>>> >>>>>>>> > >> > [username] FAILED with error >>>> NT_STATUS_NO_SUCH_USER >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > I also wonder if I shall still sync the users >>>> local, >>>>>>>> >>>>>>>> > or >>>>>>>> >> is >>>>>>>> >>>>> it >>>>>>>> >>>>>>>> > > needed ? >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > Thanks again, >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > Matt >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>>>> >>>>>>>> > >> >> Hi Matt >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> From our smb.conf file: >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> [global] >>>>>>>> >>>>>>>> > >> >> security = user >>>>>>>> >>>>>>>> > >> >> passdb backend = >>>>>>>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>>>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for >>>> us. I >>>>>>>> >> have >>>>>>>> >>>>>> not >>>>>>>> >>>>>>>> > tried >>>>>>>> >>>>>>>> > >> with >>>>>>>> >>>>>>>> > >> > a >>>>>>>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>>>>>>> >>>>>>>> > lesser >>>>>>>> >>>>> user >>>>>>>> >>>>>>>> > may >>>>>>>> >>>>>>>> > not >>>>>>>> >>>>>>>> > >> see >>>>>>>> >>>>>>>> > >> >> all the required attributes, resulting in "no >>>> such >>>>>>>> >>>>>>>> > user" >>>>>>>> >>>>>>>> > errors. >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> Chris >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> From: "Matt ." >>>>>>>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>>>>>> >>>>>> >>>>>>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>>>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>>>>>> >>>>>>>> > Server >>>>>>>> >>>>> Auth >>>>>>>> >>>>>>>> > against >>>>>>>> >>>>>>>> > >> IPA >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> Hi Chris, >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see >>>> now >>>>>>>> >> when >>>>>>>> >>>> I >>>>>>>> >>>>>>>> > add a >>>>>>>> >>>>>>>> > >> >> group from the GUI, great thanks! >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin >>>> user >>>>>>>> >>>>>>>> > or >>>>>>>> >>>> some >>>>>>>> >>>>>>>> > other >>>>>>>> >>>>>>>> > >> >> admin account ? >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get >>>> that >>>>>>>> >>>>>>>> > deep >>>>>>>> >>>>>> into >>>>>>>> >>>>>>>> > IPA. >>>>>>>> >>>>>>>> > >> >> Also when starting samba it cannot find "such >>>> user" >>>>>>>> >>>>>>>> > as >>>>>>>> >>>> that >>>>>>>> >>>>>>>> > sounds >>>>>>>> >>>>>>>> > >> >> quite known as it has no UID. >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> From your config I see you use DM, this should >>>> work ? >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> Thanks! >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> Matt >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> >> >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> > >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> -- >>>>>>>> >>>>>>>> > >> Manage your subscription for the Freeipa-users >>>> mailing >>>>>>>> >> list: >>>>>>>> >>>>>>>> > >> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> >>>>>>>> > >> Go to http://freeipa.org for more info on the >>>> project >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > >> >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > -- >>>>>>>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>>>>>>> >>>>>>>> > list: >>>>>>>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > -- >>>>>>>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing >>>> list: >>>>>>>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> >>>>>>> >>>> >>>> >>>> >>>> From ftweedal at redhat.com Wed Sep 23 09:59:46 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 23 Sep 2015 19:59:46 +1000 Subject: [Freeipa-users] [Import existing CA Cert] In-Reply-To: <56024FB3.2060009@redhat.com> References: <56013076.6010801@elegosoft.com> <56024FB3.2060009@redhat.com> Message-ID: <20150923095946.GY16937@dhcp-40-8.bne.redhat.com> On Wed, Sep 23, 2015 at 09:07:31AM +0200, Martin Kosek wrote: > On 09/22/2015 12:41 PM, Michael Anderson wrote: > > Hi All, > > > > we're evaluation freeipa/dogtag as a pki management service and hoping to > > replace our existing menagerie of bash/openssl scripts. I'm trying to establish > > a migration path for our existing pki solution and have a few questions: > > Hi Michael, > > Before you continue with the project, please keep in mind that FreeIPA PKI > capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. > It does not allow you to generate completely random certificates (at the moment). > > > * how can I import and use our existing CA signing cert? > > * can I import existing server certs and keys? > > Could you create FreeIPA server CA as subordinate CA to your current CA? To me, > it seems the easiest way as I do not think we have some nice CLIs to inject > existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they > have an idea. > Indeed, there does not seem to be a supported way to do this but you are not the only one asking for it (another thread on freeipa-users today asks the same question). So it is worth filing a ticket if there is not one already. For a workaround, you could probably do it by overwriting a keypair in the nssdb in between step 1 and step 2 of ipa-server-install; it is a nasty hack and I have not tried it, but it is my only idea right now. > More here: > http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > > > * I'm using Fedora22. When I install dogtag-pki, the user page for submitting > > csr's is available. But when I install the freeipa package, I get a 404 when > > attempting to access the page. Is this functionality available in freeipa? > > When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting > and passing the certificates from/to user. I think the Dogtag UI should be > still somehow accessible, but is not the supported way. > It should be accessible on ports 8080 / 8443, i.e. https://your.domain:8443/ca/ee/ca. The full power of Dogtag is available to you, but as stated it is not the supported way, and if FreeIPA itself does not solve your certifiate use cases, please make sure we know about them so we can determine whether we should support it in FreeIPA directly. Cheers, Fraser > FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or > via certmonger (man ipa-getcert) component that even renews the certificate. > > BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI > related capabilities than older versions, for beginning Certificate Profiles, > which are a must if you do not want to use just single fixed cert profile. > > More here: > http://www.freeipa.org/page/Releases/4.2.0 > > Martin From ftweedal at redhat.com Wed Sep 23 10:03:57 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 23 Sep 2015 20:03:57 +1000 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <56025025.9080609@redhat.com> References: <56016D95.3080708@jmips.co.uk> <56025025.9080609@redhat.com> Message-ID: <20150923100357.GZ16937@dhcp-40-8.bne.redhat.com> On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: > > > >Hi, > > > >we're building IPAs in an automated fashion, for environments that get > >created and destroyed a lot. At the moment, the CA certs used inside > >these IPAs are self-signed, as part of the normal "ipa-server-install" > >setup process. > > > >We would like to switch to issuing signed intermediate CA certs to the > >IPAs we deploy. > > > >The documentation lists the two part process necessary for this. First > >"--external-ca" - and then "--external-cert-file" > > > >Are there any ways to skip this, and give the setup process a known > >public/private key+cert up front? I'm hoping to avoid the need to have > >to use/send this automatically generated CSR every time. > > > >thanks > > > >James M > > > > Hello James, > currently it's not possible but making installation with externally signed > CA single step sounds really useful to me. > Currently certmonger is generating the CSR for FreeIPA server in the first > step of installation. Certmonger is also able to send certificate to > external CA for signing. > > I'm not sure if we could combine these two cermonger's abilities right now > but if not it shouldn't be difficult to add functionality to certmonger to > send the CSR to preconfigured CA instead of just storing it in file. > > This would of course require configuring the certmonger with information > about the CA before FreeIPA server installation but it's just one command > (getcert-add-ca). > > Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? > There are two sides to this - one is using Certmonger for automatic signing of intermediate CA certificate to be used by IPA, the other is simply using a CA cert that the administrator already possesses, e.g. in a PKCS #12 file. These should be separate tickets. Cheers, Fraser > -- > David Kupka > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From james.masson at jmips.co.uk Wed Sep 23 10:16:27 2015 From: james.masson at jmips.co.uk (James Masson) Date: Wed, 23 Sep 2015 11:16:27 +0100 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <20150923100357.GZ16937@dhcp-40-8.bne.redhat.com> References: <56016D95.3080708@jmips.co.uk> <56025025.9080609@redhat.com> <20150923100357.GZ16937@dhcp-40-8.bne.redhat.com> Message-ID: <56027BFB.2050801@jmips.co.uk> On 23/09/15 11:03, Fraser Tweedale wrote: > On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: >> On 22/09/15 17:02, James Masson wrote: >>> >>> Hi, >>> >>> we're building IPAs in an automated fashion, for environments that get >>> created and destroyed a lot. At the moment, the CA certs used inside >>> these IPAs are self-signed, as part of the normal "ipa-server-install" >>> setup process. >>> >>> We would like to switch to issuing signed intermediate CA certs to the >>> IPAs we deploy. >>> >>> The documentation lists the two part process necessary for this. First >>> "--external-ca" - and then "--external-cert-file" >>> >>> Are there any ways to skip this, and give the setup process a known >>> public/private key+cert up front? I'm hoping to avoid the need to have >>> to use/send this automatically generated CSR every time. >>> >>> thanks >>> >>> James M >>> >> >> Hello James, >> currently it's not possible but making installation with externally signed >> CA single step sounds really useful to me. >> Currently certmonger is generating the CSR for FreeIPA server in the first >> step of installation. Certmonger is also able to send certificate to >> external CA for signing. >> >> I'm not sure if we could combine these two cermonger's abilities right now >> but if not it shouldn't be difficult to add functionality to certmonger to >> send the CSR to preconfigured CA instead of just storing it in file. >> >> This would of course require configuring the certmonger with information >> about the CA before FreeIPA server installation but it's just one command >> (getcert-add-ca). >> >> Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? >> > There are two sides to this - one is using Certmonger for automatic > signing of intermediate CA certificate to be used by IPA, the other > is simply using a CA cert that the administrator already possesses, > e.g. in a PKCS #12 file. These should be separate tickets. > > Cheers, > Fraser > >> -- >> David Kupka >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project Done - https://fedorahosted.org/freeipa/ticket/5317 https://fedorahosted.org/freeipa/ticket/5318 Would it be possible to use Certmonger to help the 2 step process used at the moment? ie. run 'ipa-server-install' the first time - get the CSR use local Certmonger to handle the CSR submission to upstream CA use the resulting Cert in the second 'ipa-server-install' Any pointers? regards James M From mkosek at redhat.com Wed Sep 23 10:35:17 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Sep 2015 12:35:17 +0200 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: References: Message-ID: <56028065.9060406@redhat.com> On 09/23/2015 11:00 AM, Michael Lasevich wrote: > OK, this is most bizarre issue, > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > for the life of me cannot get it to work > > I have followed many nearly identical instructions to create ldif file and > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough - > and I get it to take, and during the startup I can see the right SSL Cipher > Suites listed in errors.log - but when it starts and I probe it, RC4 > ciphers are still there. I am completely confused. > > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") > and to old style cyphers lists(lowercase), and new style cypher > lists(uppercase), and nothing seems to make any difference. > > Any ideas? > > -M Are you asking about standalone 389-DS or the one integrated in FreeIPA? As with currently supported versions of FreeIPA, RC4 ciphers should be already gone, AFAIK. In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 https://fedorahosted.org/freeipa/ticket/4653 From michael.anderson at elegosoft.com Wed Sep 23 08:05:58 2015 From: michael.anderson at elegosoft.com (Michael Anderson) Date: Wed, 23 Sep 2015 10:05:58 +0200 Subject: [Freeipa-users] [Import existing CA Cert] In-Reply-To: <56024FB3.2060009@redhat.com> References: <56013076.6010801@elegosoft.com> <56024FB3.2060009@redhat.com> Message-ID: <56025D66.4050800@elegosoft.com> Hi Martin, thanks for your reply. On 09/23/2015 09:07 AM, Martin Kosek wrote: > On 09/22/2015 12:41 PM, Michael Anderson wrote: >> Hi All, >> >> we're evaluation freeipa/dogtag as a pki management service and hoping to >> replace our existing menagerie of bash/openssl scripts. I'm trying to establish >> a migration path for our existing pki solution and have a few questions: > Hi Michael, > > Before you continue with the project, please keep in mind that FreeIPA PKI > capabilities are bound to the FreeIPA objects - i.e. users, hosts or services. > It does not allow you to generate completely random certificates (at the moment). Does that mean that I can only generate certificates for hosts running the client software? What I'd really like to be able to do is automate Apache/Nginx SSL cert generation for our dev/continuous-delivery infrastructure. So I'd like to have two or three signing CA's for dev, staging and prod and automate CSR creation, signing and deployment. Is this feasible with freeipa? > >> '* how can I import and use our existing CA signing cert? >> * can I import existing server certs and keys? > Could you create FreeIPA server CA as subordinate CA to your current CA? To me, > it seems the easiest way as I do not think we have some nice CLIs to inject > existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they > have an idea. > > More here: > http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructurell With my current project I'll be rebuilding a lot of stuff, so starting fresh with a new freeipa-generated signing cert won't be such a problem. That said, it seems to me that the ability to import and use an existing signing cert would lower the adoption threshold for new users. > >> * I'm using Fedora22. When I install dogtag-pki, the user page for submitting >> csr's is available. But when I install the freeipa package, I get a 404 when >> attempting to access the page. Is this functionality available in freeipa? > When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting > and passing the certificates from/to user. I think the Dogtag UI should be > still somehow accessible, but is not the supported way. > > FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or > via certmonger (man ipa-getcert) component that even renews the certificate. > > BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI > related capabilities than older versions, for beginning Certificate Profiles, > which are a must if you do not want to use just single fixed cert profile. I'm using the version packaged with Fedora 22, 4.1.4 > > More here: > http://www.freeipa.org/page/Releases/4.2.0 > > Martin -- -- Michael Anderson IT Services & Support elego Software Solutions GmbH Gustav-Meyer-Allee 25 Building 12.3 (BIG) room 227 13355 Berlin, Germany phone +49 30 23 45 86 96 michael.anderson at elegosoft.com fax +49 30 23 45 86 95 http://www.elegosoft.com Geschaeftsfuehrer: Olaf Wagner, Sitz Berlin Amtsgericht Berlin-Charlottenburg, HRB 77719, USt-IdNr: DE163214194 From rcritten at redhat.com Wed Sep 23 12:51:09 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Sep 2015 08:51:09 -0400 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <56025025.9080609@redhat.com> References: <56016D95.3080708@jmips.co.uk> <56025025.9080609@redhat.com> Message-ID: <5602A03D.2040401@redhat.com> David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >> setup process. >> >> We would like to switch to issuing signed intermediate CA certs to the >> IPAs we deploy. >> >> The documentation lists the two part process necessary for this. First >> "--external-ca" - and then "--external-cert-file" >> >> Are there any ways to skip this, and give the setup process a known >> public/private key+cert up front? I'm hoping to avoid the need to have >> to use/send this automatically generated CSR every time. >> >> thanks >> >> James M >> > > Hello James, > currently it's not possible but making installation with externally > signed CA single step sounds really useful to me. > Currently certmonger is generating the CSR for FreeIPA server in the > first step of installation. Certmonger is also able to send certificate > to external CA for signing. > > I'm not sure if we could combine these two cermonger's abilities right > now but if not it shouldn't be difficult to add functionality to > certmonger to send the CSR to preconfigured CA instead of just storing > it in file. > > This would of course require configuring the certmonger with information > about the CA before FreeIPA server installation but it's just one > command (getcert-add-ca). > > Could you please file a ticket > (https://fedorahosted.org/freeipa/newticket)? > Unless something has radically changed AFAIK dogtag generates its own keys and certmonger simply tracks the cert it issues after-the-fact. There may be room there to use certmonger with sub-CAs since those are really just separate profiles, but for the initial install I don't believe certmonger is used. rob From mlasevich at gmail.com Wed Sep 23 08:49:43 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 01:49:43 -0700 Subject: [Freeipa-users] OTP unstable/non functional after upgrade? Message-ID: Ok, something odd happened I would love some feedback/ideas on: We had 4.1.2 running on Fedora that we used for, among other things, OTP authentication. I have just upgraded these to CentOS 7 with 4.1.4 running and our OTP setup suddenly became very unstable. Things that have changed during upgrade that may be contributing to this: * OS went from Fedora to CentOS7 * Version of the IPA code went from 4.1.2 to 4.1.4 * Anonymous LDAP access was disabled * Directory Manager password was changed (to solve unrelated problem) * An attempt to reduce number of supported ciphers for LDAPs (Port 636) * Ditto for SSL port for apache. Symptoms: * Upon even before upgrade was completed (one server, the one auth was being attempted against, was still running old code) - it would not authenticate LDAP connection using password+otp format. Password alone worked fine. * After update I tried to login to IPA UI using password+otp - it was not working. So I logged in without otp and added a new OTP code. After that suddenly I could use both the old and the new token generators to login.... but not all the time... new one was more consistent, but failed from time to time too. This is happening to at least one other user - so I think the issue is not associated with user account. * At no time sync token UI worked. Always says wrong/invalid token. I really need this to work - any ideas/suggestions would be appreciated. -M -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Wed Sep 23 14:32:39 2015 From: bahanw042014 at gmail.com (bahan w) Date: Wed, 23 Sep 2015 16:32:39 +0200 Subject: [Freeipa-users] User, keytab, password and ldap Message-ID: Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server with the following command, I cannot find any "userpassword" field for this user. ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p ### # user3, users, accounts, myrealm dn: uid=user3,cn=users,cn=accounts,dc=myrealm displayName: user3 user3 cn: user3 user3 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh sn: user3 gecos: user3 user3 homeDirectory: /home/user3 krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm krbPrincipalName: user3 at MYREALM givenName: user3 uid: user3 initials: uu ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 uidNumber: gidNumber: memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm krbLastPwdChange: 20150923134438Z krbPrincipalKey:: krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== krbLastSuccessfulAuth: 20150923120752Z krbLastFailedAuth: 20150923132257Z krbLoginFailedCount: 1 ### Then, with an admin ticket, I performed an ipa passwd user3 and I set a one time password. Then I connected with user3 and he was able to change its one time password into something else. And when I retried the ldapsearch command, the field userpassword was there. But the keytab is not working anymore. So here is my question : How can I generate a user with a keytab, a password and the userpassword field in the ldap ? The ipa-getkeytab -P option allows me to have both keytab and the password, but as the field userpassword is missing in the ldap, some other tools using ldapbackend authentication does not work for this user. Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mlasevich at gmail.com Wed Sep 23 15:05:31 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 08:05:31 -0700 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: <56028065.9060406@redhat.com> References: <56028065.9060406@redhat.com> Message-ID: Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. I am running "CentOS Linux release 7.1.1503 (Core)" Relevant Packages: freeipa-server-4.1.4-1.el7.centos.x86_64 389-ds-base-1.3.3.8-1.el7.centos.x86_64 nss-3.19.1-5.el7_1.x86_64 openssl-1.0.1e-42.el7.9.x86_64 LDAP setting (confirmed that in error.log there is no menition of RC4 in list of ciphers): nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha Slapd "error" log showing no ciphersuites supporting RC4: [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not available in NSS 3.16. Ignoring fortezza [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring fortezza_rc4_128_sha [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is not available in NSS 3.16. Ignoring fortezza_null [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting up But sslscan returns: $ sslscan --no-failed localhost:636 ... Supported Server Cipher(s): Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits DES-CBC3-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 128 bits DES-CBC3-SHA Accepted TLS11 128 bits RC4-SHA Accepted TLS11 128 bits RC4-MD5 Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 128 bits DES-CBC3-SHA Accepted TLS12 128 bits RC4-SHA Accepted TLS12 128 bits RC4-MD5 ... I would assume the sslscan is broken, but nmap and other scanners all confirm that RC4 is still on. -M On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek wrote: > On 09/23/2015 11:00 AM, Michael Lasevich wrote: > > OK, this is most bizarre issue, > > > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > > for the life of me cannot get it to work > > > > I have followed many nearly identical instructions to create ldif file > and > > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough > - > > and I get it to take, and during the startup I can see the right SSL > Cipher > > Suites listed in errors.log - but when it starts and I probe it, RC4 > > ciphers are still there. I am completely confused. > > > > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") > > and to old style cyphers lists(lowercase), and new style cypher > > lists(uppercase), and nothing seems to make any difference. > > > > Any ideas? > > > > -M > > Are you asking about standalone 389-DS or the one integrated in FreeIPA? As > with currently supported versions of FreeIPA, RC4 ciphers should be already > gone, AFAIK. > > In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: > > https://bugzilla.redhat.com/show_bug.cgi?id=1154687 > https://fedorahosted.org/freeipa/ticket/4653 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Sep 23 15:19:28 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 23 Sep 2015 17:19:28 +0200 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: References: <56028065.9060406@redhat.com> Message-ID: <5602C300.1020906@redhat.com> On 09/23/2015 05:05 PM, Michael Lasevich wrote: > Yes, I am talking about 389ds as is integrated in FreeIPA (would be > silly to post completely non-IPA questions to this list...). > I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port > 636 no matter what I do. > > I am running "CentOS Linux release 7.1.1503 (Core)" > > Relevant Packages: > > freeipa-server-4.1.4-1.el7.centos.x86_64 > 389-ds-base-1.3.3.8-1.el7.centos.x86_64 > nss-3.19.1-5.el7_1.x86_64 > openssl-1.0.1e-42.el7.9.x86_64 > > LDAP setting (confirmed that in error.log there is no menition of RC4 > in list of ciphers): > > nsSSL3Ciphers: > -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha > with ipa the config entry should contain: dn: cn=encryption,cn=config allowWeakCipher: off nsSSL3Ciphers: +all could you try this setting > > Slapd "error" log showing no ciphersuites supporting RC4: > > [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL > version range: min: TLS1.0, max: TLS1.2 > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not > available in NSS 3.16. Ignoring fortezza > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite > fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring > fortezza_rc4_128_sha > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null > is not available in NSS 3.16. Ignoring fortezza_null > [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 > B2015.040.128 starting up > > > But sslscan returns: > > $ sslscan --no-failed localhost:636 > ... > > Supported Server Cipher(s): > > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 128 bits DES-CBC3-SHA > Accepted TLSv1 128 bits RC4-SHA > Accepted TLSv1 128 bits RC4-MD5 > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 128 bits DES-CBC3-SHA > Accepted TLS11 128 bits RC4-SHA > Accepted TLS11 128 bits RC4-MD5 > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 128 bits DES-CBC3-SHA > Accepted TLS12 128 bits RC4-SHA > Accepted TLS12 128 bits RC4-MD5 > > ... > > > I would assume the sslscan is broken, but nmap and other scanners all > confirm that RC4 is still on. > > -M > > > On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek > wrote: > > On 09/23/2015 11:00 AM, Michael Lasevich wrote: > > OK, this is most bizarre issue, > > > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port > 636) and > > for the life of me cannot get it to work > > > > I have followed many nearly identical instructions to create > ldif file and > > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems > simple enough - > > and I get it to take, and during the startup I can see the right > SSL Cipher > > Suites listed in errors.log - but when it starts and I probe it, RC4 > > ciphers are still there. I am completely confused. > > > > I tried setting "nsSSL3Ciphers" to "default" (which does not > have "RC4") > > and to old style cyphers lists(lowercase), and new style cypher > > lists(uppercase), and nothing seems to make any difference. > > > > Any ideas? > > > > -M > > Are you asking about standalone 389-DS or the one integrated in > FreeIPA? As > with currently supported versions of FreeIPA, RC4 ciphers should > be already > gone, AFAIK. > > In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: > > https://bugzilla.redhat.com/show_bug.cgi?id=1154687 > https://fedorahosted.org/freeipa/ticket/4653 > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Wed Sep 23 15:27:43 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 23 Sep 2015 17:27:43 +0200 Subject: [Freeipa-users] When changing passwords gui displays Login screen is showing Message-ID: Hi, When a user changes their password the ipa gui briefly redirects to a login page. The user often has an impulse to click on the login button which, on occasion, can seem to cause a mess with the password change. Anyone else aware of this behaviour? ta Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From mlasevich at gmail.com Wed Sep 23 15:50:39 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 08:50:39 -0700 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: <5602C300.1020906@redhat.com> References: <56028065.9060406@redhat.com> <5602C300.1020906@redhat.com> Message-ID: No difference. It is as if this setting is being overwritten somewhere deep in 389ds, because the "error" log correctly reflects the changes, but the actual process does not. (and yes, I verified that the process actually shuts down and start up again when I restart it) ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" # encryption, config dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.0 nsSSL3Ciphers: +all allowWeakCipher: off nsSSL3: off nsSSL2: off ... (skipping nssslenabledciphers's) ... nsTLS1: on sslVersionMax: TLS1.2 SLAPD error log got longer: SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting up SSLScan Output: sslscan --no-failed localhost:636 ... Supported Server Cipher(s): Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits DES-CBC3-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 128 bits DES-CBC3-SHA Accepted TLS11 128 bits RC4-SHA Accepted TLS11 128 bits RC4-MD5 Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 128 bits DES-CBC3-SHA Accepted TLS12 128 bits RC4-SHA Accepted TLS12 128 bits RC4-MD5 On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz wrote: > > On 09/23/2015 05:05 PM, Michael Lasevich wrote: > > Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly > to post completely non-IPA questions to this list...). > I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no > matter what I do. > > I am running "CentOS Linux release 7.1.1503 (Core)" > > Relevant Packages: > > freeipa-server-4.1.4-1.el7.centos.x86_64 > 389-ds-base-1.3.3.8-1.el7.centos.x86_64 > nss-3.19.1-5.el7_1.x86_64 > openssl-1.0.1e-42.el7.9.x86_64 > > LDAP setting (confirmed that in error.log there is no menition of RC4 in > list of ciphers): > > nsSSL3Ciphers: > -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha > > with ipa the config entry should contain: > > dn: cn=encryption,cn=config > allowWeakCipher: off > nsSSL3Ciphers: +all > > could you try this setting > > Slapd "error" log showing no ciphersuites supporting RC4: > > [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version > range: min: TLS1.0, max: TLS1.2 > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not > available in NSS 3.16. Ignoring fortezza > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite > fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring > fortezza_rc4_128_sha > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is > not available in NSS 3.16. Ignoring fortezza_null > [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128 > starting up > > But sslscan returns: > > $ sslscan --no-failed localhost:636 > ... > > Supported Server Cipher(s): > > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 128 bits DES-CBC3-SHA > Accepted TLSv1 128 bits RC4-SHA > Accepted TLSv1 128 bits RC4-MD5 > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 128 bits DES-CBC3-SHA > Accepted TLS11 128 bits RC4-SHA > Accepted TLS11 128 bits RC4-MD5 > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 128 bits DES-CBC3-SHA > Accepted TLS12 128 bits RC4-SHA > Accepted TLS12 128 bits RC4-MD5 > > ... > > > I would assume the sslscan is broken, but nmap and other scanners all > confirm that RC4 is still on. > > -M > > On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek wrote: > >> On 09/23/2015 11:00 AM, Michael Lasevich wrote: >> > OK, this is most bizarre issue, >> > >> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) >> and >> > for the life of me cannot get it to work >> > >> > I have followed many nearly identical instructions to create ldif file >> and >> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple >> enough - >> > and I get it to take, and during the startup I can see the right SSL >> Cipher >> > Suites listed in errors.log - but when it starts and I probe it, RC4 >> > ciphers are still there. I am completely confused. >> > >> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") >> > and to old style cyphers lists(lowercase), and new style cypher >> > lists(uppercase), and nothing seems to make any difference. >> > >> > Any ideas? >> > >> > -M >> >> Are you asking about standalone 389-DS or the one integrated in FreeIPA? >> As >> with currently supported versions of FreeIPA, RC4 ciphers should be >> already >> gone, AFAIK. >> >> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1154687 >> https://fedorahosted.org/freeipa/ticket/4653 >> > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Sep 23 17:15:58 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 23 Sep 2015 10:15:58 -0700 Subject: [Freeipa-users] Ghost user? Message-ID: <5602DE4E.2070108@gmail.com> I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -------------- 1 user matched -------------- User login: jtest First name: janelle Last name: test Home directory: /home/jtest Login shell: /bin/bash Email address: jtest at example.com UID: 1372025403 GID: 1372025403 Account disabled: False Password: True Kerberos keys available: True *ipa user-del jtest* ipa: ERROR: jtest: user not found *ipa user-add jtest* First name: janelle Last name: jtest ipa: ERROR: user with name "jtest" already exists I am officially baffled. Any ideas? ~Janelle -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Sep 23 17:36:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Sep 2015 19:36:35 +0200 Subject: [Freeipa-users] Ghost user? In-Reply-To: <5602DE4E.2070108@gmail.com> References: <5602DE4E.2070108@gmail.com> Message-ID: <5602E323.3060800@redhat.com> On 09/23/2015 07:15 PM, Janelle wrote: > I have a user I created for testing, but now shows as both "there" but > not there.. > > *ipa user-show jtest* > > ipa: ERROR: jtest: user not found > > *ipa user-find jtest* > -------------- > 1 user matched > -------------- > User login: jtest > First name: janelle > Last name: test > Home directory: /home/jtest > Login shell: /bin/bash > Email address: jtest at example.com > UID: 1372025403 > GID: 1372025403 > Account disabled: False > Password: True > Kerberos keys available: True > > *ipa user-del jtest* > ipa: ERROR: jtest: user not found > > *ipa user-add jtest* > First name: janelle > Last name: jtest > ipa: ERROR: user with name "jtest" already exists > > > I am officially baffled. Any ideas? > ~Janelle > > > Hello, can you please check directly with LDAP search, if it is replication conflict? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Sep 23 18:03:44 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 23 Sep 2015 11:03:44 -0700 Subject: [Freeipa-users] Ghost user? In-Reply-To: <5602E323.3060800@redhat.com> References: <5602DE4E.2070108@gmail.com> <5602E323.3060800@redhat.com> Message-ID: <5602E980.2010707@gmail.com> On 9/23/15 10:36 AM, Martin Basti wrote: > > > On 09/23/2015 07:15 PM, Janelle wrote: >> I have a user I created for testing, but now shows as both "there" >> but not there.. >> >> *ipa user-show jtest* >> >> ipa: ERROR: jtest: user not found >> >> *ipa user-find jtest* >> -------------- >> 1 user matched >> -------------- >> User login: jtest >> First name: janelle >> Last name: test >> Home directory: /home/jtest >> Login shell: /bin/bash >> Email address: jtest at example.com >> UID: 1372025403 >> GID: 1372025403 >> Account disabled: False >> Password: True >> Kerberos keys available: True >> >> *ipa user-del jtest* >> ipa: ERROR: jtest: user not found >> >> *ipa user-add jtest* >> First name: janelle >> Last name: jtest >> ipa: ERROR: user with name "jtest" already exists >> >> >> I am officially baffled. Any ideas? >> ~Janelle >> >> >> > > Hello, > > can you please check directly with LDAP search, if it is replication > conflict? > > Martin I am not sure what I am looking for to determine the replication conflict you speak of. I know how to use ldapsearch, but not sure what you want to see. ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Wed Sep 23 18:03:45 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 23 Sep 2015 18:03:45 +0000 Subject: [Freeipa-users] sssd public socket error Message-ID: <04d971afeace4bdeae8230f0f8244877@TCCCORPEXCH02.TCC.local> On one of my servers I'm getting Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has wrong ownership or permissions. Authentication still works but group name lookups fail on the server. Haven't been able to track down yet what config is different on this server and I can't find any information on this, anyone have any thoughts? Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From rcritten at redhat.com Wed Sep 23 18:08:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Sep 2015 14:08:54 -0400 Subject: [Freeipa-users] Ghost user? In-Reply-To: <5602E980.2010707@gmail.com> References: <5602DE4E.2070108@gmail.com> <5602E323.3060800@redhat.com> <5602E980.2010707@gmail.com> Message-ID: <5602EAB6.2080408@redhat.com> Janelle wrote: > On 9/23/15 10:36 AM, Martin Basti wrote: >> >> >> On 09/23/2015 07:15 PM, Janelle wrote: >>> I have a user I created for testing, but now shows as both "there" >>> but not there.. >>> >>> *ipa user-show jtest* >>> >>> ipa: ERROR: jtest: user not found >>> >>> *ipa user-find jtest* >>> -------------- >>> 1 user matched >>> -------------- >>> User login: jtest >>> First name: janelle >>> Last name: test >>> Home directory: /home/jtest >>> Login shell: /bin/bash >>> Email address: jtest at example.com >>> UID: 1372025403 >>> GID: 1372025403 >>> Account disabled: False >>> Password: True >>> Kerberos keys available: True >>> >>> *ipa user-del jtest* >>> ipa: ERROR: jtest: user not found >>> >>> *ipa user-add jtest* >>> First name: janelle >>> Last name: jtest >>> ipa: ERROR: user with name "jtest" already exists >>> >>> >>> I am officially baffled. Any ideas? >>> ~Janelle >>> >>> >>> >> >> Hello, >> >> can you please check directly with LDAP search, if it is replication >> conflict? >> >> Martin > I am not sure what I am looking for to determine the replication > conflict you speak of. I know how to use ldapsearch, but not sure what > you want to see. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html From mkosek at redhat.com Wed Sep 23 18:53:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Sep 2015 20:53:06 +0200 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: References: <56028065.9060406@redhat.com> Message-ID: <5602F512.7050409@redhat.com> On 09/23/2015 05:05 PM, Michael Lasevich wrote: > Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to > post completely non-IPA questions to this list...). You would not be the first to do it :-) > I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no > matter what I do. > > I am running "CentOS Linux release 7.1.1503 (Core)" > > Relevant Packages: > > freeipa-server-4.1.4-1.el7.centos.x86_64 > 389-ds-base-1.3.3.8-1.el7.centos.x86_64 > nss-3.19.1-5.el7_1.x86_64 > openssl-1.0.1e-42.el7.9.x86_64 > > LDAP setting (confirmed that in error.log there is no menition of RC4 in list > of ciphers): > > nsSSL3Ciphers: > -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha Something is really strange here. We need to see settings in "cn=encryption,cn=config" to investigate further. $ ldapsearch -h ipa.example.com -b cn=encryption,cn=config -D "cn=Directory Manager" -x -W should be a good start to give this information. nsSSL3Ciphers for example should be set to "+all" and "allowWeakCipher" to off, as per http://fedorahosted.org/freeipa/ticket/4395 > Slapd "error" log showing no ciphersuites supporting RC4: > > [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version range: > min: TLS1.0, max: TLS1.2 > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not > available in NSS 3.16. Ignoring fortezza > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_rc4_128_sha is > not available in NSS 3.16. Ignoring fortezza_rc4_128_sha > [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is not > available in NSS 3.16. Ignoring fortezza_null > [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: > enabled > [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: > enabled > [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 > B2015.040.128 starting up > > > But sslscan returns: > > $ sslscan --no-failed localhost:636 > ... > > Supported Server Cipher(s): > > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 128 bits DES-CBC3-SHA > Accepted TLSv1 128 bits RC4-SHA > Accepted TLSv1 128 bits RC4-MD5 > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 128 bits DES-CBC3-SHA > Accepted TLS11 128 bits RC4-SHA > Accepted TLS11 128 bits RC4-MD5 > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 128 bits DES-CBC3-SHA > Accepted TLS12 128 bits RC4-SHA > Accepted TLS12 128 bits RC4-MD5 > > ... > > > I would assume the sslscan is broken, but nmap and other scanners all confirm > that RC4 is still on. > > -M > > > On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek > wrote: > > On 09/23/2015 11:00 AM, Michael Lasevich wrote: > > OK, this is most bizarre issue, > > > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > > for the life of me cannot get it to work > > > > I have followed many nearly identical instructions to create ldif file and > > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough - > > and I get it to take, and during the startup I can see the right SSL Cipher > > Suites listed in errors.log - but when it starts and I probe it, RC4 > > ciphers are still there. I am completely confused. > > > > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") > > and to old style cyphers lists(lowercase), and new style cypher > > lists(uppercase), and nothing seems to make any difference. > > > > Any ideas? > > > > -M > > Are you asking about standalone 389-DS or the one integrated in FreeIPA? As > with currently supported versions of FreeIPA, RC4 ciphers should be already > gone, AFAIK. > > In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: > > https://bugzilla.redhat.com/show_bug.cgi?id=1154687 > https://fedorahosted.org/freeipa/ticket/4653 > > From mlasevich at gmail.com Wed Sep 23 19:33:36 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Wed, 23 Sep 2015 12:33:36 -0700 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: <5602F512.7050409@redhat.com> References: <56028065.9060406@redhat.com> <5602F512.7050409@redhat.com> Message-ID: I actually just posted that in a previous email. The only thing I cut out were nsSSLEnabledCiphers - but here is the complete listing: # ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # encryption, config dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.0 nsSSL3Ciphers: +all allowWeakCipher: off nsSSL3: off nsSSL2: off nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD: :128 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD: :256 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1 28 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2 56 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::2 56 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1 28 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1:: 128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1:: 128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1:: 256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1:: 256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128 nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128 nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0 nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128 nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128 nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64 nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1 28 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2 56 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12 8 nssslenabledciphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12 8 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nssslenabledciphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25 6 nssslenabledciphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25 6 nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256 nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 nssslenabledciphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128 nsTLS1: on sslVersionMax: TLS1.2 # RSA, encryption, config dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule nsSSLPersonalitySSL: Server-Cert nsSSLActivation: on cn: RSA nsSSLToken: internal (software) # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 On Wed, Sep 23, 2015 at 11:53 AM, Martin Kosek wrote: > On 09/23/2015 05:05 PM, Michael Lasevich wrote: > >> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly >> to >> post completely non-IPA questions to this list...). >> > > You would not be the first to do it :-) > > I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no >> matter what I do. >> >> I am running "CentOS Linux release 7.1.1503 (Core)" >> >> Relevant Packages: >> >> freeipa-server-4.1.4-1.el7.centos.x86_64 >> 389-ds-base-1.3.3.8-1.el7.centos.x86_64 >> nss-3.19.1-5.el7_1.x86_64 >> openssl-1.0.1e-42.el7.9.x86_64 >> >> LDAP setting (confirmed that in error.log there is no menition of RC4 in >> list >> of ciphers): >> >> nsSSL3Ciphers: >> >> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha >> > > Something is really strange here. We need to see settings in > "cn=encryption,cn=config" to investigate further. > > $ ldapsearch -h ipa.example.com -b cn=encryption,cn=config -D > "cn=Directory Manager" -x -W > > should be a good start to give this information. nsSSL3Ciphers for example > should be set to "+all" and "allowWeakCipher" to off, as per > > http://fedorahosted.org/freeipa/ticket/4395 > > Slapd "error" log showing no ciphersuites supporting RC4: >> >> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version >> range: >> min: TLS1.0, max: TLS1.2 >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not >> available in NSS 3.16. Ignoring fortezza >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite >> fortezza_rc4_128_sha is >> not available in NSS 3.16. Ignoring fortezza_rc4_128_sha >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is >> not >> available in NSS 3.16. Ignoring fortezza_null >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_RSA_WITH_AES_128_CBC_SHA: >> enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_RSA_WITH_AES_256_CBC_SHA: >> enabled >> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 >> >> B2015.040.128 starting up >> >> >> But sslscan returns: >> >> $ sslscan --no-failed localhost:636 >> ... >> >> Supported Server Cipher(s): >> >> Accepted TLSv1 256 bits AES256-SHA >> Accepted TLSv1 128 bits AES128-SHA >> Accepted TLSv1 128 bits DES-CBC3-SHA >> Accepted TLSv1 128 bits RC4-SHA >> Accepted TLSv1 128 bits RC4-MD5 >> Accepted TLS11 256 bits AES256-SHA >> Accepted TLS11 128 bits AES128-SHA >> Accepted TLS11 128 bits DES-CBC3-SHA >> Accepted TLS11 128 bits RC4-SHA >> Accepted TLS11 128 bits RC4-MD5 >> Accepted TLS12 256 bits AES256-SHA256 >> Accepted TLS12 256 bits AES256-SHA >> Accepted TLS12 128 bits AES128-GCM-SHA256 >> Accepted TLS12 128 bits AES128-SHA256 >> Accepted TLS12 128 bits AES128-SHA >> Accepted TLS12 128 bits DES-CBC3-SHA >> Accepted TLS12 128 bits RC4-SHA >> Accepted TLS12 128 bits RC4-MD5 >> >> ... >> >> >> I would assume the sslscan is broken, but nmap and other scanners all >> confirm >> that RC4 is still on. >> >> -M >> >> >> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek > > wrote: >> >> On 09/23/2015 11:00 AM, Michael Lasevich wrote: >> > OK, this is most bizarre issue, >> > >> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port >> 636) and >> > for the life of me cannot get it to work >> > >> > I have followed many nearly identical instructions to create ldif >> file and >> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple >> enough - >> > and I get it to take, and during the startup I can see the right >> SSL Cipher >> > Suites listed in errors.log - but when it starts and I probe it, >> RC4 >> > ciphers are still there. I am completely confused. >> > >> > I tried setting "nsSSL3Ciphers" to "default" (which does not have >> "RC4") >> > and to old style cyphers lists(lowercase), and new style cypher >> > lists(uppercase), and nothing seems to make any difference. >> > >> > Any ideas? >> > >> > -M >> >> Are you asking about standalone 389-DS or the one integrated in >> FreeIPA? As >> with currently supported versions of FreeIPA, RC4 ciphers should be >> already >> gone, AFAIK. >> >> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1154687 >> https://fedorahosted.org/freeipa/ticket/4653 >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aly.khimji at gmail.com Wed Sep 23 19:38:39 2015 From: aly.khimji at gmail.com (Aly Khimji) Date: Wed, 23 Sep 2015 15:38:39 -0400 Subject: [Freeipa-users] dns_lookup_kdc question Message-ID: Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I can ssh into it with the AD user. I am finding that users are unable to log into the "client nodes" and are getting a "4: System Error" failure in the ssh log. When I dig into the sssd in debug mode I can see its failing to find KDC for the "realm". Makes sense so far. So I enable dns_lookup_kdc = true and now it is able to find the realm and login is successful. My question is, this "dns_lookup_kdc = true" required in any setup with AD/IPA trust + ssh into IPA client with AD users? I am wondering as there may be a use case where the AD server is in another network and IPA clients won't have direct access to AD. I was wondering if there is any model in which the client only ever talks to IPA server and all the AD/Kerbos communication is handled via the IPA server and if so how is this done? I have read a bit and this looks as though what I am doing here is a "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc = True is always required. I am not doing anything extra on the client other then the ipa-client install. No manual adjustment of sssd.conf or krb5.conf. If I am missing something please advise. Thanks guys Aly SW info: Server ipa-admintools-4.1.0-18.el7.centos.4.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.4.x86_64 ipa-server-4.1.0-18.el7.centos.4.x86_64 el7 Client sssd-client-1.12.2-58.el7_1.17.x86_64 sssd-common-1.12.2-58.el7_1.17.x86_64 sssd-ad-1.12.2-58.el7_1.17.x86_64 sssd-proxy-1.12.2-58.el7_1.17.x86_64 sssd-krb5-1.12.2-58.el7_1.17.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 sssd-krb5-common-1.12.2-58.el7_1.17.x86_64 sssd-common-pac-1.12.2-58.el7_1.17.x86_64 sssd-ipa-1.12.2-58.el7_1.17.x86_64 sssd-ldap-1.12.2-58.el7_1.17.x86_64 sssd-1.12.2-58.el7_1.17.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 el6 client sssd-common-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 ipa-python-3.0.0-47.el6.centos.x86_64 sssd-client-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 23 19:50:56 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 23 Sep 2015 22:50:56 +0300 Subject: [Freeipa-users] dns_lookup_kdc question In-Reply-To: References: Message-ID: <20150923195056.GB7201@redhat.com> On Wed, 23 Sep 2015, Aly Khimji wrote: >Hey guys, > >Quick question. Just running through a poc and ran into a question. > >I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. >Trust and all is setup properly and I can see users on the client/ipa >server and on the ipa server I can ssh into it with the AD user. > >I am finding that users are unable to log into the "client nodes" and are >getting a "4: System Error" failure in the ssh log. When I dig into the >sssd in debug mode I can see its failing to find KDC for the "realm". Makes >sense so far. So I enable dns_lookup_kdc = true and now it is able to find >the realm and login is successful. Correct. >My question is, this "dns_lookup_kdc = true" required in any setup with >AD/IPA trust + ssh into IPA client with AD users? Yes, in currently released versions you have to have that in the krb5.conf. >I am wondering as there may be a use case where the AD server is in another >network and IPA clients won't have direct access to AD. I was wondering if >there is any model in which the client only ever talks to IPA server and >all the AD/Kerbos communication is handled via the IPA server and if so how >is this done? Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy functionality. You can enable KDC proxy on IPA master and make sure to set manually on each client a 'kdc' property for each AD realm to point to https://ipa.master/KDCProxy. Then on the IPA master itself have explicit define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc' property. With this setup you would have all Kerberos traffic (same can be done with kadmin protocol too, I think) redirected via IPA masters to AD DCs. You need to have fairly recent MIT Kerberos library for that, though. RHEL7 should be OK. I haven't checked latest MIT krb5 backports in RHEL6, though. >I have read a bit and this looks as though what I am doing here is a >"legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc = >True is always required. > >I am not doing anything extra on the client other then the ipa-client >install. >No manual adjustment of sssd.conf or krb5.conf. If I am missing something >please advise. ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS discovery of KDC was successful and no '--force' option was specified. -- / Alexander Bokovoy From hectorl at alumni.usc.edu Wed Sep 23 19:53:31 2015 From: hectorl at alumni.usc.edu (HECTOR LOPEZ) Date: Wed, 23 Sep 2015 12:53:31 -0700 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: <560137B0.3080904@redhat.com> References: <55FBC2AB.7060302@redhat.com> <560137B0.3080904@redhat.com> Message-ID: Thierry, I here is a fresh pstack of ns-slapd after ipa user-del hangs; the db_stat output follows. Also, killing ns-slapd restores functionality to ipactl restart: sh-4.2# gstack 6134 Thread 45 (Thread 0x7fa9ce4a4700 (LWP 6136)): #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fa9d247e4a7 in deadlock_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 44 (Thread 0x7fa9cdca3700 (LWP 6137)): #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fa9d2482576 in checkpoint_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 43 (Thread 0x7fa9cd4a2700 (LWP 6138)): #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fa9d247e71f in trickle_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 42 (Thread 0x7fa9ccca1700 (LWP 6139)): #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fa9d2479437 in perf_threadmain () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 41 (Thread 0x7fa9c7fff700 (LWP 6140)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9dfccd438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fa9d68e164e in cos_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libcos-plugin.so #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 40 (Thread 0x7fa9c77fe700 (LWP 6141)): #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 #1 0x00007fa9d426247c in ipa_cldap_worker () from /usr/lib64/dirsrv/plugins/libipa_cldap.so #2 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #3 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 39 (Thread 0x7fa9c6ffd700 (LWP 6142)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9dfccd438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 38 (Thread 0x7fa9c67fc700 (LWP 6143)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9dfccd438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 37 (Thread 0x7fa9c5ffb700 (LWP 6144)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9dfccd438 in slapi_wait_condvar () from /usr/lib64/dirsrv/libslapd.so.0 #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from /usr/lib64/dirsrv/plugins/libroles-plugin.so #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 36 (Thread 0x7fa9c57fa700 (LWP 6145)): #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fa9e0181a93 in housecleaning () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 35 (Thread 0x7fa9c4ff9700 (LWP 6146)): #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fa9dfc74188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 34 (Thread 0x7fa9b7fff700 (LWP 6148)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 33 (Thread 0x7fa9b77fe700 (LWP 6149)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 32 (Thread 0x7fa9b6ffd700 (LWP 6150)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 31 (Thread 0x7fa9b67fc700 (LWP 6151)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 30 (Thread 0x7fa9b5ffb700 (LWP 6152)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 29 (Thread 0x7fa9b57fa700 (LWP 6153)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 28 (Thread 0x7fa9b4ff9700 (LWP 6154)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 27 (Thread 0x7fa9b47f8700 (LWP 6155)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 26 (Thread 0x7fa9b3ff7700 (LWP 6156)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 25 (Thread 0x7fa9b37f6700 (LWP 6157)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 24 (Thread 0x7fa9b2ff5700 (LWP 6158)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 23 (Thread 0x7fa9b27f4700 (LWP 6159)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 22 (Thread 0x7fa9b1ff3700 (LWP 6160)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 21 (Thread 0x7fa9b17f2700 (LWP 6161)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 20 (Thread 0x7fa9b0ff1700 (LWP 6162)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 19 (Thread 0x7fa9b07f0700 (LWP 6163)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 18 (Thread 0x7fa9affef700 (LWP 6164)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 17 (Thread 0x7fa9af7ee700 (LWP 6165)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 16 (Thread 0x7fa9aefed700 (LWP 6166)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 15 (Thread 0x7fa9ae7ec700 (LWP 6167)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 14 (Thread 0x7fa9adfeb700 (LWP 6168)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 13 (Thread 0x7fa9ad7ea700 (LWP 6169)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 12 (Thread 0x7fa9acfe9700 (LWP 6170)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 11 (Thread 0x7fa9ac7e8700 (LWP 6171)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 10 (Thread 0x7fa9abfe7700 (LWP 6172)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 9 (Thread 0x7fa9ab7e6700 (LWP 6173)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9d860e2f3 in __db_hybrid_mutex_suspend () from /lib64/ libdb-5.3.so #2 0x00007fa9d860d640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so #3 0x00007fa9d86b7cea in __lock_get_internal () from /lib64/libdb-5.3.so #4 0x00007fa9d86b87d0 in __lock_get () from /lib64/libdb-5.3.so #5 0x00007fa9d86e4112 in __db_lget () from /lib64/libdb-5.3.so #6 0x00007fa9d862b5f5 in __bam_search () from /lib64/libdb-5.3.so #7 0x00007fa9d8616256 in __bamc_search () from /lib64/libdb-5.3.so #8 0x00007fa9d8617d0f in __bamc_get () from /lib64/libdb-5.3.so #9 0x00007fa9d86d0c56 in __dbc_iget () from /lib64/libdb-5.3.so #10 0x00007fa9d86dd843 in __db_get () from /lib64/libdb-5.3.so #11 0x00007fa9d86e1123 in __db_get_pp () from /lib64/libdb-5.3.so #12 0x00007fa9d248949b in id2entry () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #13 0x00007fa9d24af7dd in ldbm_back_delete () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #14 0x00007fa9dfc60190 in op_shared_delete () from /usr/lib64/dirsrv/libslapd.so.0 #15 0x00007fa9dfc60342 in delete_internal_pb () from /usr/lib64/dirsrv/libslapd.so.0 #16 0x00007fa9d1da4739 in mep_del_post_op () from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so #17 0x00007fa9dfcac280 in plugin_call_func () from /usr/lib64/dirsrv/libslapd.so.0 #18 0x00007fa9dfcac4d8 in plugin_call_plugins () from /usr/lib64/dirsrv/libslapd.so.0 #19 0x00007fa9d24ae42e in ldbm_back_delete () from /usr/lib64/dirsrv/plugins/libback-ldbm.so #20 0x00007fa9dfc60190 in op_shared_delete () from /usr/lib64/dirsrv/libslapd.so.0 #21 0x00007fa9dfc60453 in do_delete () from /usr/lib64/dirsrv/libslapd.so.0 #22 0x00007fa9e017a37e in connection_threadmain () #23 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #24 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #25 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 8 (Thread 0x7fa9aafe5700 (LWP 6174)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 7 (Thread 0x7fa9aa7e4700 (LWP 6175)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 6 (Thread 0x7fa9a9fe3700 (LWP 6176)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 5 (Thread 0x7fa9a97e2700 (LWP 6177)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e017865e in connection_wait_for_new_work () #3 0x00007fa9e017988d in connection_threadmain () #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 4 (Thread 0x7fa9a8fe1700 (LWP 6178)): #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x00007fa9e017b2c5 in time_thread () #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 3 (Thread 0x7fa93bfff700 (LWP 6220)): #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so #3 0x00007fa9d66d6374 in sync_send_results () from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 2 (Thread 0x7fa93b7fe700 (LWP 6514)): #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so #2 0x00007fa9e0185c85 in ps_send_results () #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 Thread 1 (Thread 0x7fa9e0142840 (LWP 6134)): #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 #1 0x00007fa9de098967 in _pr_poll_with_poll () from /lib64/libnspr4.so #2 0x00007fa9e017df59 in slapd_daemon () #3 0x00007fa9e017117c in main () here is the db_stat: Default locking region information: 902 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 200 Initial number of locks allocated 0 Initial number of lockers allocated 200 Initial number of lock objects allocated 10000 Maximum number of locks possible 10000 Maximum number of lockers possible 10000 Maximum number of lock objects possible 390 Current number of locks allocated 188 Current number of lockers allocated 250 Current number of lock objects allocated 40 Number of lock object partitions 8191 Size of object hash table 314 Number of current locks 338 Maximum number of locks at any one time 4 Maximum number of locks in any one bucket 457 Maximum number of locks stolen by for an empty partition 23 Maximum number of locks stolen for any one partition 160 Number of current lockers 162 Maximum number of lockers at any one time 216 Number of current lock objects 224 Maximum number of lock objects at any one time 2 Maximum number of lock objects in any one bucket 68 Maximum number of objects stolen by for an empty partition 7 Maximum number of objects stolen for any one partition 1547826 Total number of locks requested 1546707 Total number of locks released 0 Total number of locks upgraded 74 Total number of locks downgraded 38 Lock requests not available due to conflicts, for which we waited 54 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 2MB 304KB Region size 14 The number of partition locks that required waiting (0%) 9 The maximum number of times any partition lock was waited for (0%) 0 The number of object queue operations that required waiting (0%) 1 The number of locker allocations that required waiting (0%) 2 The number of region locks that required waiting (0%) 3 Maximum hash bucket length =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock REGINFO information: Environment Region type 1 Region ID /var/lib/dirsrv/slapd-/db/__db.001 Region name 0x7fdb35b3d000 Region address 0x7fdb35b3d0a0 Region allocation head 0x7fdb35b452b0 Region primary address 0 Region maximum allocation 0 Region allocated Region allocations: 31186 allocations, 0 failures, 30915 frees, 3 longest Allocations by power-of-two sizes: 1KB 31169 2KB 3 4KB 6 8KB 5 16KB 0 32KB 1 64KB 0 128KB 0 256KB 2 512KB 0 1024KB 1 REGION_SHARED Region flags =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock region parameters: 2 Lock region region mutex [2/487136 0% !Own] 16381 locker table size 8191 object table size 34128 obj_off 889656 locker_off 0 need_dd =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock conflict matrix: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Locks grouped by lockers: Locker Mode Count Status ----------------- Object --------------- 2 dd=158 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 2 READ 1 HELD userRoot/id2entry.db handle 0 3 dd=157 locks held 0 write locks 0 pid/thread 6134/140366854457088 flags 0 priority 100 4 dd=156 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 4 READ 1 HELD ipaca/id2entry.db handle 0 5 dd=155 locks held 0 write locks 0 pid/thread 6134/140366787315456 flags 0 priority 100 6 dd=154 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 6 READ 1 HELD ipaca/entryrdn.db handle 0 7 dd=153 locks held 0 write locks 0 pid/thread 6134/140366795708160 flags 0 priority 100 8 dd=152 locks held 0 write locks 0 pid/thread 6134/140366812493568 flags 0 priority 100 9 dd=151 locks held 0 write locks 0 pid/thread 6134/140366694995712 flags 0 priority 100 a dd=150 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db handle 0 c dd=149 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 c READ 1 HELD ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 d dd=148 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 d READ 1 HELD ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 e dd=147 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 e READ 1 HELD ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 15 dd=146 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db handle 0 16 dd=145 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 16 READ 1 HELD ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 17 dd=144 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 17 READ 1 HELD ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 18 dd=143 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db handle 0 1d dd=142 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db handle 0 1e dd=141 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 1e READ 1 HELD ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 21 dd=140 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db handle 0 22 dd=139 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db handle 0 23 dd=138 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 23 READ 1 HELD ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 2c dd=137 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 2c READ 1 HELD changelog/id2entry.db handle 0 2d dd=136 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 2e dd=135 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 2e READ 1 HELD changelog/entryusn.db handle 0 2f dd=134 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 30 dd=133 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 30 READ 1 HELD userRoot/entryusn.db handle 0 31 dd=132 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 32 dd=131 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 32 READ 1 HELD ipaca/entryusn.db handle 0 33 dd=130 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 34 dd=129 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 34 READ 1 HELD userRoot/entryrdn.db handle 0 35 dd=128 locks held 0 write locks 0 pid/thread 6134/140366745351936 flags 0 priority 100 36 dd=127 locks held 0 write locks 0 pid/thread 6134/140366703388416 flags 0 priority 100 36 READ 1 WAIT userRoot/id2entry.db page 2 37 dd=126 locks held 0 write locks 0 pid/thread 6134/140366745351936 flags 0 priority 100 38 dd=125 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 38 READ 1 HELD userRoot/objectclass.db handle 0 39 dd=124 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 3a dd=123 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 3a READ 1 HELD userRoot/ancestorid.db handle 0 3b dd=122 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 3c dd=121 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 3c READ 1 HELD changelog/entryrdn.db handle 0 3d dd=120 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 3e dd=119 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 3f dd=118 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 40 dd=117 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 40 READ 1 HELD changelog/objectclass.db handle 0 41 dd=116 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 42 dd=115 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 43 dd=114 locks held 0 write locks 0 pid/thread 6134/140366904813312 flags 0 priority 100 43 READ 1 WAIT userRoot/objectclass.db page 2 44 dd=113 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 44 READ 1 HELD ipaca/objectclass.db handle 0 45 dd=112 locks held 0 write locks 0 pid/thread 6134/140366720173824 flags 0 priority 100 46 dd=111 locks held 0 write locks 0 pid/thread 6134/140366778922752 flags 0 priority 100 47 dd=110 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 47 READ 1 HELD changelog/aci.db handle 0 48 dd=109 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 49 dd=108 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 49 READ 1 HELD userRoot/aci.db handle 0 4a dd=107 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 4b dd=106 locks held 0 write locks 0 pid/thread 6134/140366720173824 flags 0 priority 100 4c dd=105 locks held 0 write locks 0 pid/thread 6134/140366904813312 flags 0 priority 100 4d dd=104 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 4d READ 1 HELD ipaca/aci.db handle 0 4e dd=103 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 4f dd=102 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 4f READ 1 HELD userRoot/parentid.db handle 0 50 dd=101 locks held 0 write locks 0 pid/thread 6134/140367585617984 flags 0 priority 100 51 dd=100 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 52 dd=99 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 52 READ 1 HELD changelog/nsuniqueid.db handle 0 53 dd=98 locks held 1 write locks 0 pid/thread 6134/140367585617984 flags 10 priority 100 53 READ 1 HELD changelog/changenumber.db handle 0 54 dd=97 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 55 dd=96 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 56 dd=95 locks held 1 write locks 0 pid/thread 6134/140367584454400 flags 10 priority 100 56 READ 1 HELD changelog/targetuniqueid.db handle 0 57 dd=94 locks held 1 write locks 0 pid/thread 6134/140367584454400 flags 10 priority 100 57 READ 1 HELD changelog/parentid.db handle 0 58 dd=93 locks held 1 write locks 0 pid/thread 6134/140367584454400 flags 10 priority 100 58 READ 1 HELD changelog/ancestorid.db handle 0 59 dd=92 locks held 1 write locks 0 pid/thread 6134/140367584454400 flags 10 priority 100 59 READ 1 HELD changelog/numsubordinates.db handle 0 5a dd=91 locks held 0 write locks 0 pid/thread 6134/140367584454400 flags 0 priority 100 5b dd=90 locks held 0 write locks 0 pid/thread 6134/140366820886272 flags 0 priority 100 5c dd=89 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 5d dd=88 locks held 1 write locks 0 pid/thread 6134/140366812493568 flags 10 priority 100 5d READ 1 HELD userRoot/krbPrincipalName.db handle 0 5e dd=87 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 5f dd=86 locks held 0 write locks 0 pid/thread 6134/140366854457088 flags 0 priority 100 60 dd=85 locks held 0 write locks 0 pid/thread 6134/140366804100864 flags 0 priority 100 61 dd=84 locks held 1 write locks 0 pid/thread 6134/140366694995712 flags 10 priority 100 61 READ 1 HELD userRoot/ipakrbprincipalalias.db handle 0 62 dd=83 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 63 dd=82 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 64 dd=81 locks held 1 write locks 0 pid/thread 6134/140366762137344 flags 10 priority 100 64 READ 1 HELD changelog/seeAlso.db handle 0 65 dd=80 locks held 0 write locks 0 pid/thread 6134/140366820886272 flags 0 priority 100 66 dd=79 locks held 1 write locks 0 pid/thread 6134/140366762137344 flags 10 priority 100 66 READ 1 HELD userRoot/seeAlso.db handle 0 67 dd=78 locks held 0 write locks 0 pid/thread 6134/140366820886272 flags 0 priority 100 68 dd=77 locks held 1 write locks 0 pid/thread 6134/140366762137344 flags 10 priority 100 68 READ 1 HELD ipaca/seeAlso.db handle 0 69 dd=76 locks held 0 write locks 0 pid/thread 6134/140366820886272 flags 0 priority 100 6a dd=75 locks held 0 write locks 0 pid/thread 6134/140366795708160 flags 0 priority 100 6b dd=74 locks held 0 write locks 0 pid/thread 6134/140366795708160 flags 0 priority 100 6c dd=73 locks held 0 write locks 0 pid/thread 6134/140366795708160 flags 0 priority 100 6d dd=72 locks held 0 write locks 0 pid/thread 6134/140366778922752 flags 0 priority 100 6e dd=71 locks held 0 write locks 0 pid/thread 6134/140366778922752 flags 0 priority 100 6f dd=70 locks held 0 write locks 0 pid/thread 6134/140366720173824 flags 0 priority 100 70 dd=69 locks held 0 write locks 0 pid/thread 6134/140366778922752 flags 0 priority 100 71 dd=68 locks held 1 write locks 0 pid/thread 6134/140366669817600 flags 10 priority 100 71 READ 1 HELD ipaca/certstatus.db handle 0 72 dd=67 locks held 0 write locks 0 pid/thread 6134/140366778922752 flags 0 priority 100 73 dd=66 locks held 0 write locks 0 pid/thread 6134/140366871242496 flags 0 priority 100 74 dd=65 locks held 0 write locks 0 pid/thread 6134/140366871242496 flags 0 priority 100 75 dd=64 locks held 1 write locks 0 pid/thread 6134/140366812493568 flags 10 priority 100 75 READ 1 HELD ipaca/cn.db handle 0 76 dd=63 locks held 0 write locks 0 pid/thread 6134/140366812493568 flags 0 priority 100 77 dd=62 locks held 1 write locks 0 pid/thread 6134/140366745351936 flags 10 priority 100 77 READ 1 HELD ipaca/requeststate.db handle 0 78 dd=61 locks held 0 write locks 0 pid/thread 6134/140366745351936 flags 0 priority 100 79 dd=60 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 79 READ 1 HELD userRoot/gidnumber.db handle 0 7a dd=59 locks held 0 write locks 0 pid/thread 6134/140366812493568 flags 0 priority 100 7b dd=58 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 7b READ 1 HELD userRoot/uidnumber.db handle 0 7c dd=57 locks held 0 write locks 0 pid/thread 6134/140366795708160 flags 0 priority 100 7d dd=56 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 7e dd=55 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 7e READ 1 HELD userRoot/numsubordinates.db handle 0 7f dd=54 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 7f READ 1 HELD userRoot/member.db handle 0 80 dd=53 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 80 READ 1 HELD userRoot/uniquemember.db handle 0 81 dd=52 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 81 READ 1 HELD userRoot/owner.db handle 0 82 dd=51 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 82 READ 1 HELD userRoot/manager.db handle 0 83 dd=50 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 83 READ 1 HELD userRoot/secretary.db handle 0 84 dd=49 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 84 READ 1 HELD userRoot/memberUser.db handle 0 85 dd=48 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 85 READ 1 HELD userRoot/memberHost.db handle 0 86 dd=47 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 86 READ 1 HELD userRoot/sourcehost.db handle 0 87 dd=46 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 87 READ 1 HELD userRoot/memberservice.db handle 0 88 dd=45 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 88 READ 1 HELD userRoot/managedby.db handle 0 89 dd=44 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 89 READ 1 HELD userRoot/memberallowcmd.db handle 0 8a dd=43 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 8b dd=42 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 8c dd=41 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 8c READ 1 HELD userRoot/ipasudorunasgroup.db handle 0 8d dd=40 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db handle 0 8e dd=39 locks held 1 write locks 0 pid/thread 6134/140367131285248 flags 10 priority 100 8e READ 1 HELD userRoot/ipaassignedidview.db handle 0 8f dd=38 locks held 0 write locks 0 pid/thread 6134/140366720173824 flags 0 priority 100 90 dd=37 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 91 dd=36 locks held 1 write locks 0 pid/thread 6134/140366736959232 flags 10 priority 100 91 READ 1 HELD userRoot/uid.db handle 0 92 dd=35 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 94 dd=34 locks held 0 write locks 0 pid/thread 6134/140366720173824 flags 0 priority 100 95 dd=33 locks held 0 write locks 0 pid/thread 6134/140366711781120 flags 0 priority 100 97 dd=32 locks held 1 write locks 0 pid/thread 6134/140366711781120 flags 10 priority 100 97 READ 1 HELD userRoot/memberuid.db handle 0 98 dd=31 locks held 0 write locks 0 pid/thread 6134/140366862849792 flags 0 priority 100 99 dd=30 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 9a dd=29 locks held 1 write locks 0 pid/thread 6134/140366728566528 flags 10 priority 100 9a READ 1 HELD userRoot/cn.db handle 0 9b dd=28 locks held 0 write locks 0 pid/thread 6134/140366846064384 flags 0 priority 100 9c dd=27 locks held 0 write locks 0 pid/thread 6134/140366862849792 flags 0 priority 100 9d dd=26 locks held 0 write locks 0 pid/thread 6134/140366787315456 flags 0 priority 100 9f dd=25 locks held 0 write locks 0 pid/thread 6134/140366678210304 flags 0 priority 100 a0 dd=24 locks held 0 write locks 0 pid/thread 6134/140366669817600 flags 0 priority 100 a1 dd=23 locks held 0 write locks 0 pid/thread 6134/140366904813312 flags 0 priority 100 a2 dd=22 locks held 0 write locks 0 pid/thread 6134/140366862849792 flags 0 priority 100 a4 dd=21 locks held 0 write locks 0 pid/thread 6134/140366862849792 flags 0 priority 100 da dd=20 locks held 0 write locks 0 pid/thread 6134/140366745351936 flags 0 priority 100 db dd=19 locks held 0 write locks 0 pid/thread 6134/140366669817600 flags 0 priority 100 dc dd=18 locks held 0 write locks 0 pid/thread 6134/140366745351936 flags 0 priority 100 dd dd=17 locks held 0 write locks 0 pid/thread 6134/140366669817600 flags 0 priority 100 26a dd=16 locks held 0 write locks 0 pid/thread 6134/140366913206016 flags 0 priority 100 274 dd=15 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 275 dd=14 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 276 dd=13 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 277 dd=12 locks held 0 write locks 0 pid/thread 6134/140366896420608 flags 0 priority 100 37c dd=11 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 37d dd=10 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 37e dd= 9 locks held 0 write locks 0 pid/thread 6134/140366736959232 flags 0 priority 100 37f dd= 8 locks held 1 write locks 0 pid/thread 6134/140366854457088 flags 10 priority 100 37f READ 1 HELD userRoot/memberOf.db handle 0 380 dd= 7 locks held 0 write locks 0 pid/thread 6134/140366854457088 flags 0 priority 100 381 dd= 5 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 381 READ 1 HELD userRoot/displayname.db handle 0 382 dd= 4 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 382 READ 1 HELD userRoot/sn.db handle 0 383 dd= 3 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 383 READ 1 HELD userRoot/mail.db handle 0 384 dd= 2 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 384 READ 1 HELD userRoot/givenName.db handle 0 385 dd= 1 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 386 dd= 0 locks held 1 write locks 0 pid/thread 6134/140366703388416 flags 10 priority 100 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 80003201 dd= 6 locks held 234 write locks 110 pid/thread 6134/140366703388416 flags 0 priority 100 80003201 READ 1 HELD userRoot/ipaassignedidview.db page 1 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db page 1 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db page 1 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 80003201 READ 1 HELD userRoot/memberallowcmd.db page 1 80003201 READ 1 HELD userRoot/managedby.db page 4 80003201 READ 1 HELD userRoot/memberservice.db page 1 80003201 READ 1 HELD userRoot/sourcehost.db page 1 80003201 READ 1 HELD userRoot/memberHost.db page 1 80003201 READ 1 HELD userRoot/memberUser.db page 1 80003201 READ 1 HELD userRoot/secretary.db page 1 80003201 READ 1 HELD userRoot/manager.db page 1 80003201 READ 1 HELD userRoot/seeAlso.db page 1 80003201 READ 1 HELD userRoot/owner.db page 1 80003201 READ 1 HELD userRoot/uniquemember.db page 1 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 80003201 WRITE 2 HELD userRoot/member.db page 110 80003201 READ 1 HELD userRoot/member.db page 3 80003201 WRITE 2 HELD userRoot/member.db page 3 80003201 READ 1 HELD userRoot/member.db page 59 80003201 WRITE 2 HELD userRoot/member.db page 59 80003201 READ 1 HELD userRoot/memberOf.db page 4 80003201 READ 3 HELD userRoot/member.db page 110 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 80003201 READ 6 HELD changelog/entryrdn.db page 51 80003201 READ 4 HELD changelog/entryrdn.db page 13 80003201 WRITE 2 HELD changelog/id2entry.db page 661 80003201 WRITE 6 HELD changelog/objectclass.db page 1 80003201 WRITE 2 HELD changelog/targetuniqueid.db page 45 80003201 WRITE 2 HELD changelog/changenumber.db page 2 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 80003201 WRITE 2 HELD changelog/parentid.db page 1 80003201 WRITE 2 HELD changelog/entryusn.db page 5 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 80003201 WRITE 2 HELD changelog/id2entry.db page 2 80003201 WRITE 2 HELD changelog/numsubordinates.db page 1 80003201 WRITE 1 HELD userRoot/numsubordinates.db page 1 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 80003201 READ 1 HELD userRoot/entryrdn.db page 68 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 80003201 READ 2 HELD userRoot/ancestorid.db page 3 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 80003201 READ 1 HELD userRoot/ancestorid.db page 4 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 80003201 READ 1 HELD userRoot/memberOf.db page 12 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 80003201 READ 2 HELD userRoot/entryusn.db page 8 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 80003201 READ 1 HELD userRoot/uidnumber.db page 4 80003201 WRITE 3 HELD userRoot/parentid.db page 1 80003201 READ 1 HELD userRoot/parentid.db page 1 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 80003201 WRITE 2 HELD userRoot/uid.db page 21 80003201 READ 1 HELD userRoot/uid.db page 21 80003201 WRITE 2 HELD userRoot/uid.db page 12 80003201 READ 1 HELD userRoot/uid.db page 12 80003201 WRITE 2 HELD userRoot/uid.db page 16 80003201 READ 1 HELD userRoot/uid.db page 16 80003201 WRITE 2 HELD userRoot/uid.db page 15 80003201 READ 1 HELD userRoot/uid.db page 15 80003201 WRITE 2 HELD userRoot/uid.db page 4 80003201 READ 1 HELD userRoot/uid.db page 4 80003201 WRITE 2 HELD userRoot/uid.db page 9 80003201 READ 1 HELD userRoot/uid.db page 9 80003201 WRITE 2 HELD userRoot/uid.db page 19 80003201 READ 1 HELD userRoot/uid.db page 19 80003201 WRITE 2 HELD userRoot/givenName.db page 27 80003201 READ 1 HELD userRoot/givenName.db page 27 80003201 WRITE 2 HELD userRoot/givenName.db page 3 80003201 READ 1 HELD userRoot/givenName.db page 3 80003201 WRITE 2 HELD userRoot/givenName.db page 22 80003201 READ 1 HELD userRoot/givenName.db page 22 80003201 WRITE 2 HELD userRoot/givenName.db page 11 80003201 READ 1 HELD userRoot/givenName.db page 11 80003201 WRITE 2 HELD userRoot/givenName.db page 17 80003201 READ 1 HELD userRoot/givenName.db page 17 80003201 WRITE 2 HELD userRoot/givenName.db page 15 80003201 READ 1 HELD userRoot/givenName.db page 15 80003201 WRITE 2 HELD userRoot/givenName.db page 16 80003201 READ 1 HELD userRoot/givenName.db page 16 80003201 WRITE 2 HELD userRoot/givenName.db page 25 80003201 READ 1 HELD userRoot/givenName.db page 25 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 11 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 11 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 9 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 9 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 10 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 10 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 2 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 2 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 3 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 3 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 8 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 8 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db page 15 80003201 READ 3 HELD userRoot/krbPrincipalName.db page 15 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 6 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 6 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 80 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 80 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 81 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 81 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 79 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 79 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 38 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 38 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 4 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 4 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 47 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 47 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 84 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 84 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 39 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 39 80003201 WRITE 2 HELD userRoot/mail.db page 42 80003201 READ 1 HELD userRoot/mail.db page 42 80003201 WRITE 2 HELD userRoot/mail.db page 12 80003201 READ 1 HELD userRoot/mail.db page 12 80003201 WRITE 2 HELD userRoot/mail.db page 2 80003201 READ 1 HELD userRoot/mail.db page 2 80003201 WRITE 2 HELD userRoot/mail.db page 67 80003201 READ 1 HELD userRoot/mail.db page 67 80003201 WRITE 2 HELD userRoot/mail.db page 25 80003201 READ 1 HELD userRoot/mail.db page 25 80003201 WRITE 2 HELD userRoot/mail.db page 41 80003201 READ 1 HELD userRoot/mail.db page 41 80003201 WRITE 2 HELD userRoot/mail.db page 35 80003201 READ 1 HELD userRoot/mail.db page 35 80003201 WRITE 2 HELD userRoot/mail.db page 74 80003201 READ 1 HELD userRoot/mail.db page 74 80003201 WRITE 2 HELD userRoot/mail.db page 40 80003201 READ 1 HELD userRoot/mail.db page 40 80003201 WRITE 2 HELD userRoot/mail.db page 9 80003201 READ 1 HELD userRoot/mail.db page 9 80003201 WRITE 2 HELD userRoot/mail.db page 75 80003201 READ 1 HELD userRoot/mail.db page 75 80003201 WRITE 2 HELD userRoot/mail.db page 43 80003201 READ 1 HELD userRoot/mail.db page 43 80003201 WRITE 2 HELD userRoot/mail.db page 27 80003201 READ 1 HELD userRoot/mail.db page 27 80003201 WRITE 2 HELD userRoot/mail.db page 10 80003201 READ 1 HELD userRoot/mail.db page 10 80003201 WRITE 2 HELD userRoot/mail.db page 72 80003201 READ 1 HELD userRoot/mail.db page 72 80003201 WRITE 2 HELD userRoot/sn.db page 9 80003201 READ 1 HELD userRoot/sn.db page 9 80003201 WRITE 2 HELD userRoot/sn.db page 3 80003201 READ 1 HELD userRoot/sn.db page 3 80003201 WRITE 2 HELD userRoot/sn.db page 5 80003201 READ 1 HELD userRoot/sn.db page 5 80003201 WRITE 2 HELD userRoot/sn.db page 25 80003201 READ 1 HELD userRoot/sn.db page 25 80003201 WRITE 2 HELD userRoot/sn.db page 6 80003201 READ 1 HELD userRoot/sn.db page 6 80003201 WRITE 4 HELD userRoot/sn.db page 29 80003201 READ 2 HELD userRoot/sn.db page 29 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 80003201 READ 1 HELD userRoot/gidnumber.db page 2 80003201 WRITE 26 HELD userRoot/displayname.db page 1 80003201 READ 13 HELD userRoot/displayname.db page 1 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 80003201 READ 1 HELD userRoot/objectclass.db page 16 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 80003201 READ 1 HELD userRoot/objectclass.db page 9 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 80003201 READ 1 HELD userRoot/objectclass.db page 15 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 80003201 READ 1 HELD userRoot/objectclass.db page 18 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 80003201 READ 2 HELD userRoot/objectclass.db page 2 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 80003201 READ 2 HELD userRoot/objectclass.db page 8 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 80003201 READ 21 HELD userRoot/objectclass.db page 19 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 80003201 READ 2 HELD userRoot/objectclass.db page 3 80003201 WRITE 2 HELD userRoot/cn.db page 28 80003201 READ 1 HELD userRoot/cn.db page 28 80003201 WRITE 2 HELD userRoot/cn.db page 81 80003201 READ 1 HELD userRoot/cn.db page 81 80003201 WRITE 2 HELD userRoot/cn.db page 21 80003201 READ 1 HELD userRoot/cn.db page 21 80003201 WRITE 2 HELD userRoot/cn.db page 32 80003201 READ 1 HELD userRoot/cn.db page 32 80003201 WRITE 2 HELD userRoot/cn.db page 2 80003201 READ 1 HELD userRoot/cn.db page 2 80003201 WRITE 2 HELD userRoot/cn.db page 4 80003201 READ 1 HELD userRoot/cn.db page 4 80003201 WRITE 2 HELD userRoot/cn.db page 52 80003201 READ 1 HELD userRoot/cn.db page 52 80003201 WRITE 2 HELD userRoot/cn.db page 53 80003201 READ 1 HELD userRoot/cn.db page 53 80003201 WRITE 2 HELD userRoot/cn.db page 44 80003201 READ 1 HELD userRoot/cn.db page 44 80003201 WRITE 2 HELD userRoot/cn.db page 26 80003201 READ 1 HELD userRoot/cn.db page 26 80003201 WRITE 2 HELD userRoot/cn.db page 67 80003201 READ 1 HELD userRoot/cn.db page 67 80003201 WRITE 2 HELD userRoot/cn.db page 16 80003201 READ 1 HELD userRoot/cn.db page 16 80003201 WRITE 2 HELD userRoot/cn.db page 15 80003201 READ 1 HELD userRoot/cn.db page 15 80003201 WRITE 2 HELD userRoot/cn.db page 78 80003201 READ 1 HELD userRoot/cn.db page 78 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 80003201 READ 1 HELD userRoot/id2entry.db page 3 80003201 READ 1 HELD userRoot/entryrdn.db page 19 80003201 READ 1 HELD userRoot/id2entry.db page 8 80003201 READ 3 HELD userRoot/entryrdn.db page 69 80003201 READ 1 HELD userRoot/entryrdn.db page 4 80003201 READ 1 HELD userRoot/id2entry.db page 20 80003201 READ 10 HELD userRoot/entryrdn.db page 3 80003201 READ 1 HELD userRoot/id2entry.db page 5 80003201 READ 3 HELD userRoot/entryrdn.db page 23 80003201 READ 3 HELD userRoot/entryrdn.db page 28 80003201 READ 2 HELD userRoot/entryrdn.db page 9 80003201 READ 1 HELD userRoot/id2entry.db page 66 80003201 READ 5 HELD userRoot/entryrdn.db page 6 80003201 READ 5 HELD userRoot/entryrdn.db page 20 80003201 READ 10 HELD userRoot/entryrdn.db page 40 80003201 READ 14 HELD userRoot/entryrdn.db page 41 80003231 dd=4294967295 locks held 4 write locks 0 pid/thread 6134/140366703388416 flags 0 priority 100 80003231 READ 1 HELD userRoot/id2entry.db page 1420 80003231 READ 2 HELD userRoot/entryrdn.db page 3 80003231 READ 1 HELD userRoot/entryrdn.db page 40 80003231 READ 1 HELD userRoot/entryrdn.db page 41 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Locks grouped by object: Locker Mode Count Status ----------------- Object --------------- 49 READ 1 HELD userRoot/aci.db handle 0 61 READ 1 HELD userRoot/ipakrbprincipalalias.db handle 0 80003201 READ 1 HELD userRoot/seeAlso.db page 1 66 READ 1 HELD userRoot/seeAlso.db handle 0 75 READ 1 HELD ipaca/cn.db handle 0 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db handle 0 89 READ 1 HELD userRoot/memberallowcmd.db handle 0 80003201 READ 1 HELD userRoot/memberallowcmd.db page 1 82 READ 1 HELD userRoot/manager.db handle 0 80003201 READ 1 HELD userRoot/manager.db page 1 56 READ 1 HELD changelog/targetuniqueid.db handle 0 80003201 WRITE 2 HELD changelog/targetuniqueid.db page 45 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db handle 0 83 READ 1 HELD userRoot/secretary.db handle 0 80003201 READ 1 HELD userRoot/secretary.db page 1 7b READ 1 HELD userRoot/uidnumber.db handle 0 80003201 READ 1 HELD userRoot/uidnumber.db page 4 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 58 READ 1 HELD changelog/ancestorid.db handle 0 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 6 READ 1 HELD ipaca/entryrdn.db handle 0 80003201 READ 1 HELD userRoot/cn.db page 67 80003201 WRITE 2 HELD userRoot/cn.db page 67 80003201 READ 1 HELD userRoot/cn.db page 78 80003201 WRITE 2 HELD userRoot/cn.db page 78 80003201 READ 1 HELD userRoot/cn.db page 81 80003201 WRITE 2 HELD userRoot/cn.db page 81 381 READ 1 HELD userRoot/displayname.db handle 0 80003201 READ 13 HELD userRoot/displayname.db page 1 80003201 WRITE 26 HELD userRoot/displayname.db page 1 80003201 READ 1 HELD userRoot/cn.db page 32 80003201 WRITE 2 HELD userRoot/cn.db page 32 80003201 READ 1 HELD userRoot/cn.db page 44 80003201 WRITE 2 HELD userRoot/cn.db page 44 80003201 READ 1 HELD userRoot/cn.db page 52 80003201 WRITE 2 HELD userRoot/cn.db page 52 80003201 READ 1 HELD userRoot/cn.db page 53 80003201 WRITE 2 HELD userRoot/cn.db page 53 80003201 READ 1 HELD userRoot/cn.db page 4 80003201 WRITE 2 HELD userRoot/cn.db page 4 80003201 READ 1 HELD userRoot/cn.db page 2 80003201 WRITE 2 HELD userRoot/cn.db page 2 9a READ 1 HELD userRoot/cn.db handle 0 80003201 READ 1 HELD userRoot/cn.db page 15 80003201 WRITE 2 HELD userRoot/cn.db page 15 80003201 READ 1 HELD userRoot/cn.db page 21 80003201 WRITE 2 HELD userRoot/cn.db page 21 80003201 READ 1 HELD userRoot/cn.db page 16 80003201 WRITE 2 HELD userRoot/cn.db page 16 80003201 READ 1 HELD userRoot/cn.db page 28 80003201 WRITE 2 HELD userRoot/cn.db page 28 80003201 READ 1 HELD userRoot/cn.db page 26 80003201 WRITE 2 HELD userRoot/cn.db page 26 4d READ 1 HELD ipaca/aci.db handle 0 80003201 READ 3 HELD userRoot/entryrdn.db page 69 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 80003201 READ 1 HELD userRoot/entryrdn.db page 68 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 80003201 READ 14 HELD userRoot/entryrdn.db page 41 80003231 READ 1 HELD userRoot/entryrdn.db page 41 80003201 READ 10 HELD userRoot/entryrdn.db page 40 80003231 READ 1 HELD userRoot/entryrdn.db page 40 80003201 READ 1 HELD userRoot/entryrdn.db page 4 80003201 READ 5 HELD userRoot/entryrdn.db page 6 34 READ 1 HELD userRoot/entryrdn.db handle 0 80003201 READ 10 HELD userRoot/entryrdn.db page 3 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 80003231 READ 2 HELD userRoot/entryrdn.db page 3 80003201 READ 2 HELD userRoot/entryrdn.db page 9 80003201 READ 5 HELD userRoot/entryrdn.db page 20 80003201 READ 3 HELD userRoot/entryrdn.db page 23 80003201 READ 1 HELD userRoot/entryrdn.db page 19 80003201 READ 3 HELD userRoot/entryrdn.db page 28 80003201 READ 1 HELD userRoot/givenName.db page 3 80003201 WRITE 2 HELD userRoot/givenName.db page 3 384 READ 1 HELD userRoot/givenName.db handle 0 80003201 READ 1 HELD userRoot/givenName.db page 11 80003201 WRITE 2 HELD userRoot/givenName.db page 11 80003201 READ 1 HELD userRoot/givenName.db page 15 80003201 WRITE 2 HELD userRoot/givenName.db page 15 80003201 READ 1 HELD userRoot/givenName.db page 17 80003201 WRITE 2 HELD userRoot/givenName.db page 17 80003201 READ 1 HELD userRoot/givenName.db page 16 80003201 WRITE 2 HELD userRoot/givenName.db page 16 80003201 READ 1 HELD userRoot/givenName.db page 22 80003201 WRITE 2 HELD userRoot/givenName.db page 22 80003201 READ 1 HELD userRoot/givenName.db page 27 80003201 WRITE 2 HELD userRoot/givenName.db page 27 80003201 READ 1 HELD userRoot/givenName.db page 25 80003201 WRITE 2 HELD userRoot/givenName.db page 25 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 47 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 47 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 39 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 39 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 38 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 38 23 READ 1 HELD ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 9 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 9 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 8 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 8 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 11 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 11 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 10 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 10 80003201 READ 3 HELD userRoot/krbPrincipalName.db page 15 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db page 15 5d READ 1 HELD userRoot/krbPrincipalName.db handle 0 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 3 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 3 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 2 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 2 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 4 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 4 80003201 READ 2 HELD userRoot/krbPrincipalName.db page 6 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db page 6 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 79 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 79 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 81 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 81 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 80 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 80 80003201 READ 1 HELD userRoot/krbPrincipalName.db page 84 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page 84 2c READ 1 HELD changelog/id2entry.db handle 0 80003201 WRITE 2 HELD changelog/id2entry.db page 2 a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db handle 0 44 READ 1 HELD ipaca/objectclass.db handle 0 80003201 READ 1 HELD userRoot/gidnumber.db page 2 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 79 READ 1 HELD userRoot/gidnumber.db handle 0 77 READ 1 HELD ipaca/requeststate.db handle 0 80003201 WRITE 2 HELD changelog/id2entry.db page 661 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 c READ 1 HELD ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 16 READ 1 HELD ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 80003201 WRITE 2 HELD changelog/entryusn.db page 5 2e READ 1 HELD changelog/entryusn.db handle 0 80003201 READ 2 HELD userRoot/sn.db page 29 80003201 WRITE 4 HELD userRoot/sn.db page 29 80003201 READ 1 HELD userRoot/sn.db page 25 80003201 WRITE 2 HELD userRoot/sn.db page 25 80003201 READ 1 HELD userRoot/sn.db page 6 80003201 WRITE 2 HELD userRoot/sn.db page 6 80003201 READ 1 HELD userRoot/sn.db page 5 80003201 WRITE 2 HELD userRoot/sn.db page 5 80003201 READ 1 HELD userRoot/sn.db page 3 80003201 WRITE 2 HELD userRoot/sn.db page 3 382 READ 1 HELD userRoot/sn.db handle 0 80003201 READ 1 HELD userRoot/sn.db page 9 80003201 WRITE 2 HELD userRoot/sn.db page 9 4 READ 1 HELD ipaca/id2entry.db handle 0 80003201 READ 1 HELD userRoot/owner.db page 1 81 READ 1 HELD userRoot/owner.db handle 0 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 32 READ 1 HELD ipaca/entryusn.db handle 0 91 READ 1 HELD userRoot/uid.db handle 0 80003201 READ 1 HELD userRoot/uid.db page 4 80003201 WRITE 2 HELD userRoot/uid.db page 4 80003201 READ 1 HELD userRoot/uid.db page 9 80003201 WRITE 2 HELD userRoot/uid.db page 9 80003201 READ 1 HELD userRoot/uid.db page 15 80003201 WRITE 2 HELD userRoot/uid.db page 15 80003201 READ 1 HELD userRoot/uid.db page 12 80003201 WRITE 2 HELD userRoot/uid.db page 12 80003201 READ 1 HELD userRoot/uid.db page 19 80003201 WRITE 2 HELD userRoot/uid.db page 19 80003201 READ 1 HELD userRoot/uid.db page 16 80003201 WRITE 2 HELD userRoot/uid.db page 16 52 READ 1 HELD changelog/nsuniqueid.db handle 0 7e READ 1 HELD userRoot/numsubordinates.db handle 0 80003201 WRITE 1 HELD userRoot/numsubordinates.db page 1 80003201 READ 1 HELD userRoot/uid.db page 21 80003201 WRITE 2 HELD userRoot/uid.db page 21 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 8c READ 1 HELD userRoot/ipasudorunasgroup.db handle 0 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db page 1 80003201 READ 1 HELD userRoot/id2entry.db page 66 47 READ 1 HELD changelog/aci.db handle 0 80003201 READ 1 HELD userRoot/id2entry.db page 20 80003201 READ 1 HELD userRoot/id2entry.db page 8 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 80003201 READ 1 HELD userRoot/id2entry.db page 5 80003201 READ 1 HELD userRoot/id2entry.db page 3 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 36 READ 1 WAIT userRoot/id2entry.db page 2 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 2 READ 1 HELD userRoot/id2entry.db handle 0 80003201 READ 1 HELD userRoot/memberUser.db page 1 84 READ 1 HELD userRoot/memberUser.db handle 0 80003201 WRITE 6 HELD changelog/objectclass.db page 1 40 READ 1 HELD changelog/objectclass.db handle 0 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db handle 0 57 READ 1 HELD changelog/parentid.db handle 0 80003201 WRITE 2 HELD changelog/parentid.db page 1 86 READ 1 HELD userRoot/sourcehost.db handle 0 80003201 READ 1 HELD userRoot/sourcehost.db page 1 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 3c READ 1 HELD changelog/entryrdn.db handle 0 80003201 READ 4 HELD changelog/entryrdn.db page 13 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 80003201 READ 1 HELD userRoot/ipaassignedidview.db page 1 8e READ 1 HELD userRoot/ipaassignedidview.db handle 0 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 80003231 READ 1 HELD userRoot/id2entry.db page 1420 80003201 READ 6 HELD changelog/entryrdn.db page 51 80003201 READ 1 HELD userRoot/memberOf.db page 4 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 37f READ 1 HELD userRoot/memberOf.db handle 0 80003201 READ 1 HELD userRoot/memberOf.db page 12 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db page 1 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db handle 0 80003201 READ 1 HELD userRoot/managedby.db page 4 68 READ 1 HELD ipaca/seeAlso.db handle 0 88 READ 1 HELD userRoot/managedby.db handle 0 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db handle 0 1e READ 1 HELD ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 85 READ 1 HELD userRoot/memberHost.db handle 0 80003201 READ 1 HELD userRoot/memberHost.db page 1 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db handle 0 97 READ 1 HELD userRoot/memberuid.db handle 0 87 READ 1 HELD userRoot/memberservice.db handle 0 80003201 READ 1 HELD userRoot/memberservice.db page 1 80003201 READ 1 HELD userRoot/parentid.db page 1 80003201 WRITE 3 HELD userRoot/parentid.db page 1 4f READ 1 HELD userRoot/parentid.db handle 0 80003201 WRITE 2 HELD changelog/changenumber.db page 2 53 READ 1 HELD changelog/changenumber.db handle 0 64 READ 1 HELD changelog/seeAlso.db handle 0 80003201 READ 2 HELD userRoot/entryusn.db page 8 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 30 READ 1 HELD userRoot/entryusn.db handle 0 80003201 READ 1 HELD userRoot/ancestorid.db page 4 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 3a READ 1 HELD userRoot/ancestorid.db handle 0 80003201 READ 2 HELD userRoot/ancestorid.db page 3 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 80003201 READ 1 HELD userRoot/mail.db page 67 80003201 WRITE 2 HELD userRoot/mail.db page 67 80003201 READ 1 HELD userRoot/mail.db page 72 80003201 WRITE 2 HELD userRoot/mail.db page 72 80003201 READ 1 HELD userRoot/mail.db page 74 80003201 WRITE 2 HELD userRoot/mail.db page 74 80003201 READ 1 HELD userRoot/mail.db page 75 80003201 WRITE 2 HELD userRoot/mail.db page 75 383 READ 1 HELD userRoot/mail.db handle 0 80003201 READ 1 HELD userRoot/mail.db page 2 80003201 WRITE 2 HELD userRoot/mail.db page 2 80003201 READ 1 HELD userRoot/mail.db page 12 80003201 WRITE 2 HELD userRoot/mail.db page 12 80003201 READ 1 HELD userRoot/mail.db page 9 80003201 WRITE 2 HELD userRoot/mail.db page 9 80003201 READ 1 HELD userRoot/mail.db page 10 80003201 WRITE 2 HELD userRoot/mail.db page 10 80003201 READ 1 HELD userRoot/mail.db page 25 80003201 WRITE 2 HELD userRoot/mail.db page 25 80003201 READ 1 HELD userRoot/mail.db page 27 80003201 WRITE 2 HELD userRoot/mail.db page 27 80003201 READ 1 HELD userRoot/mail.db page 35 80003201 WRITE 2 HELD userRoot/mail.db page 35 80003201 READ 1 HELD userRoot/mail.db page 40 80003201 WRITE 2 HELD userRoot/mail.db page 40 80003201 READ 1 HELD userRoot/mail.db page 41 80003201 WRITE 2 HELD userRoot/mail.db page 41 80003201 READ 1 HELD userRoot/mail.db page 42 80003201 WRITE 2 HELD userRoot/mail.db page 42 80003201 READ 1 HELD userRoot/mail.db page 43 80003201 WRITE 2 HELD userRoot/mail.db page 43 d READ 1 HELD ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 80 READ 1 HELD userRoot/uniquemember.db handle 0 80003201 READ 1 HELD userRoot/uniquemember.db page 1 80003201 READ 1 HELD userRoot/member.db page 59 80003201 WRITE 2 HELD userRoot/member.db page 59 80003201 READ 1 HELD userRoot/member.db page 3 80003201 WRITE 2 HELD userRoot/member.db page 3 7f READ 1 HELD userRoot/member.db handle 0 80003201 READ 3 HELD userRoot/member.db page 110 80003201 WRITE 2 HELD userRoot/member.db page 110 59 READ 1 HELD changelog/numsubordinates.db handle 0 80003201 WRITE 2 HELD changelog/numsubordinates.db page 1 e READ 1 HELD ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 71 READ 1 HELD ipaca/certstatus.db handle 0 17 READ 1 HELD ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 80003201 READ 2 HELD userRoot/objectclass.db page 8 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 80003201 READ 1 HELD userRoot/objectclass.db page 9 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 80003201 READ 1 HELD userRoot/objectclass.db page 15 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 80003201 READ 2 HELD userRoot/objectclass.db page 2 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 43 READ 1 WAIT userRoot/objectclass.db page 2 80003201 READ 2 HELD userRoot/objectclass.db page 3 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 38 READ 1 HELD userRoot/objectclass.db handle 0 80003201 READ 1 HELD userRoot/objectclass.db page 18 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 80003201 READ 21 HELD userRoot/objectclass.db page 19 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 80003201 READ 1 HELD userRoot/objectclass.db page 16 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 On Tue, Sep 22, 2015 at 4:12 AM, thierry bordaz wrote: > Hi, > > > If it hangs again, could you get a pstack of the slapd process > And also dump the db info > 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This would help > to know which thread holds the lock that that blocks those operations ? > > thanks > thierry > > > On 09/18/2015 09:20 PM, HECTOR LOPEZ wrote: > > Ludwig Krispenz, > > This is the output of gstack on ns-slapd (pstack on rhel), also killing > the ns-slapd proces gave this error "ipa: ERROR: cannot connect to > 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': " After that I could > use ipactl restart and the command runs successfully. Thank you for > helping me. Again, here is the pstack output of ns-slapd: > > > -sh-4.2$ sudo gstack 2197 > > Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc11e4a7 in deadlock_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc122576 in checkpoint_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc11e71f in trickle_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3adc119437 in perf_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ae058164e in cos_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libcos-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): > > #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 > > #1 0x00007f3addf0247c in ipa_cldap_worker () from > /usr/lib64/dirsrv/plugins/libipa_cldap.so > > #2 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae996d438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > > #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae9e21a93 in housecleaning () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae9914188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #21 0x00007f3ae99501de in search_internal_callback_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #22 0x00007f3ae9950478 in search_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #23 0x00007f3ae9e291fb in ids_sasl_canon_user () > > #24 0x00007f3ae7afd93b in _sasl_canon_user () from /lib64/libsasl2.so.3 > > #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from > /lib64/libsasl2.so.3 > > #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 () from > /usr/lib64/sasl2/libcrammd5.so > > #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from > /usr/lib64/sasl2/libcrammd5.so > > #28 0x00007f3ae7b09b88 in sasl_server_step () from /lib64/libsasl2.so.3 > > #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () > > #30 0x00007f3ae9e13b22 in do_bind () > > #31 0x00007f3ae9e1a43f in connection_threadmain () > > #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #33 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so > > #11 0x00007f3adc12d180 in idl_new_fetch () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #12 0x00007f3adc13b5e6 in index_read_ext_allids () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc125dd4 in keys2idl () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3adc126533 in ava_candidates.isra.0 () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #15 0x00007f3adc126b22 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #16 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #17 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #18 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #19 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3adc127b96 in list_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #21 0x00007f3adc126a90 in filter_candidates_ext () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #22 0x00007f3adc161fdc in subtree_candidates () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #23 0x00007f3adc1635f7 in ldbm_back_search () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #24 0x00007f3ae993fd49 in op_shared_search () from > /usr/lib64/dirsrv/libslapd.so.0 > > #25 0x00007f3ae9e2b07e in do_search () > > #26 0x00007f3ae9e1a405 in connection_threadmain () > > #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > > #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > > #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so > > #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007f3ae237d843 in __db_get () from /lib64/libdb-5.3.so > > #11 0x00007f3ae2381123 in __db_get_pp () from /lib64/libdb-5.3.so > > #12 0x00007f3adc12949b in id2entry () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #13 0x00007f3adc14f7dd in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #14 0x00007f3ae9900190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > > #15 0x00007f3ae9900342 in delete_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > > #16 0x00007f3adba44739 in mep_del_post_op () from > /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so > > #17 0x00007f3ae994c280 in plugin_call_func () from > /usr/lib64/dirsrv/libslapd.so.0 > > #18 0x00007f3ae994c4d8 in plugin_call_plugins () from > /usr/lib64/dirsrv/libslapd.so.0 > > #19 0x00007f3adc14e42e in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > > #20 0x00007f3ae9900190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > > #21 0x00007f3ae9900453 in do_delete () from /usr/lib64/dirsrv/libslapd.so.0 > > #22 0x00007f3ae9e1a37e in connection_threadmain () > > #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #24 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e1865e in connection_wait_for_new_work () > > #3 0x00007f3ae9e1988d in connection_threadmain () > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): > > #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 > > #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > > #2 0x00007f3ae9e1b2c5 in time_thread () > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): > > #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so > > #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so > > #3 0x00007f3ae0376374 in sync_send_results () from > /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so > > #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): > > #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > > #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so > > #2 0x00007f3ae9e25c85 in ps_send_results () > > #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so > > #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 > > #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 > > Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): > > #0 0x00007f3ae76e3f7d in __lll_lock_wait () from /lib64/libpthread.so.0 > > #1 0x00007f3ae76dfd68 in _L_lock_975 () from /lib64/libpthread.so.0 > > #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from /lib64/libpthread.so.0 > > #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so > > #4 0x00007f3ae9e1def6 in slapd_daemon () > > #5 0x00007f3ae9e1117c in main () > > -sh-4.2$ > > On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz > wrote: > >> >> On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: >> >> This is rhel 7.1 with ipa version 4.1.0 >> >> user-show shows the user. However, if the user contains >> ipaNTSecurityIdentifier: attribute, user-del hangs with no response. >> >> Meanwhile, the KDC and 389ds stop working. The only way to recover >> functionality is to reboot the machine. ipactl restart does nothing. >> >> If it hangs again, could you get a pstack of the slapd process ? >> If you then kill slapd, does ipactl restart work ? >> >> >> In the ldap access log I see this when trying to delete user sclown: >> >> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL >> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" >> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD >> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" >> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH >> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 >> filter="(objectClass=securityDomainSessionEntry)" attrs="cn" >> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore >> notAfter duration extension subjectName userCertificate version algorithmId >> signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z 1:0 >> (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter >> duration extension subjectName userCertificate version algorithmId >> signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z >> 1:10 (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo >> notAfter notBefore duration extension subjectName userCertificate version >> algorithmId signingAlgorithmId publicKeyData" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z 0:0 >> (0) >> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 >> nentries=0 etime=0 notes=U >> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH >> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" >> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND >> >> Then in the ldap error log I see this, which makes me think there is a >> problem with the changelog: >> >> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for >> changenumber=91314,cn=changelog from entryrdn index (-30993) >> [14/Sep/2015:09:30:03 -0700] - Operation error fetching >> changenumber=91314,cn=changelog (null), error -30993. >> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error occured >> while adding change number 91314, dn = changenumber=91314,cn=changelog: >> Operations error. >> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: operation >> failure [1] >> >> After this both kdc and ldap stop responding. In the krb5kdc.log I see >> server errors after the user-del command is run. The only way to resume >> normal operations is to restart the whole machine. ipactl restart doesn't >> work. >> >> Any help would be highly appreciated! >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Sep 23 20:05:39 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 23 Sep 2015 13:05:39 -0700 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <20150914064630.GP6168@redhat.com> References: <20150914064630.GP6168@redhat.com> Message-ID: <56030613.3050308@gmail.com> On 9/13/15 11:46 PM, Alexander Bokovoy wrote: > On Sun, 13 Sep 2015, Janelle wrote: >> Hello, >> >> I read something recently that if ip v6 is disable on a server this >> hurts performance in some way? Is there more info on this or did I >> misread it? > Do not disable IPv6 stack on your machines. By disabling IPv6 you are > not doing good. On contrary, many contemporary software projects are > using IPv6-enabled network calls by default because both IPv6 and IPv4 > share the same name space on the machine so you only need to listen on a > IPv6 port to accept both IPv4 and IPv6. This is a recommended approach > for networking applications' developers for years already. > > Note that this means only that support for IPv6 stack is enabled in the > kernel. You are not required to go with IPv6 networking addresses, this > is not really needed if you don't want to. But allowing applications to > be IPv6 aware is required. > > FreeIPA has several components which are programmed in such way that > they expect IPv6 stack to be enabled for reasons outlined above. If you > disable IPv6 stack, FreeIPA will partially malfunction and will not > really be in a supported state, especially when we are talking about > trusts to Active Directory (and, in future, IPA to IPA trust). > BTW - I did re-enable IPv6 and was able to "clean ruv" all the "dead" entries, which I had not been able to do before. Thank you for this. ~J From aly.khimji at gmail.com Wed Sep 23 20:22:32 2015 From: aly.khimji at gmail.com (Aly Khimji) Date: Wed, 23 Sep 2015 16:22:32 -0400 Subject: [Freeipa-users] dns_lookup_kdc question In-Reply-To: <20150923195056.GB7201@redhat.com> References: <20150923195056.GB7201@redhat.com> Message-ID: Excellent, Thank you for the quick response. I will look further into your suggestions Aly On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy wrote: > On Wed, 23 Sep 2015, Aly Khimji wrote: > >> Hey guys, >> >> Quick question. Just running through a poc and ran into a question. >> >> I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. >> Trust and all is setup properly and I can see users on the client/ipa >> server and on the ipa server I can ssh into it with the AD user. >> >> I am finding that users are unable to log into the "client nodes" and are >> getting a "4: System Error" failure in the ssh log. When I dig into the >> sssd in debug mode I can see its failing to find KDC for the "realm". >> Makes >> sense so far. So I enable dns_lookup_kdc = true and now it is able to find >> the realm and login is successful. >> > Correct. > > > My question is, this "dns_lookup_kdc = true" required in any setup with >> AD/IPA trust + ssh into IPA client with AD users? >> > Yes, in currently released versions you have to have that in the > krb5.conf. > > I am wondering as there may be a use case where the AD server is in another >> network and IPA clients won't have direct access to AD. I was wondering if >> there is any model in which the client only ever talks to IPA server and >> all the AD/Kerbos communication is handled via the IPA server and if so >> how >> is this done? >> > Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy > functionality. > > You can enable KDC proxy on IPA master and make sure to set manually on > each client a 'kdc' property for each AD realm to point to > https://ipa.master/KDCProxy. Then on the IPA master itself have explicit > define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc' > property. > With this setup you would have all Kerberos traffic (same can be done > with kadmin protocol too, I think) redirected via IPA masters to AD DCs. > > You need to have fairly recent MIT Kerberos library for that, though. > RHEL7 should be OK. I haven't checked latest MIT krb5 backports in > RHEL6, though. > > I have read a bit and this looks as though what I am doing here is a >> "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc >> = >> True is always required. >> >> I am not doing anything extra on the client other then the ipa-client >> install. >> No manual adjustment of sssd.conf or krb5.conf. If I am missing something >> please advise. >> > ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS > discovery of KDC was successful and no '--force' option was specified. > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Sep 23 20:49:10 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 23 Sep 2015 22:49:10 +0200 Subject: [Freeipa-users] sudo not work in linux In-Reply-To: References: Message-ID: <20150923204910.GN7272@hendrix.redhat.com> On Wed, Sep 23, 2015 at 12:48:47PM +0330, alireza baghery wrote: > hi > i have centos 6.7 (ipa server) > and i have centos 6.5 (client) I would advise to upgrade, 6.5 is old. I'm not sure if 6.5 already supported sudo_provider=ipa, but I'm pretty sure 6.6 did. That would simplify the configuration a lot. > i can not sudo on client > i add rule sudo on ipa > i config file sss.conf Are there any rules in the cache (ldbsearch -H /var/lib/sss/db/cache_l.infotechpsp.net) at all? If not, then I guess the rules don't match the host, because your domain log snippet indicates sssd couldn't fetch the rules.. > +++++++ > > [domain/l.infotechpsp.net] > debug_level = 6 > #cache_credentials = True > #krb5_store_password_if_offline = True > ipa_domain = l.infotechpsp.net > id_provider = ipa > #auth_provider = ipa > #access_provider = ipa > #ipa_hostname = switchlive.l.infotechpsp.net > #chpass_provider = ipa > ipa_server = _srv_, ipasrv.l.infotechpsp.net > ldap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri =ldap://ipasrv.l.infotechpsp.net > ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net > ldap_sasl_realm = L.INFOTECHPSP.NET > krb5_server = ipasrv.l.infotechpsp.net > [sssd] > config_file_version = 2 > > # Number of times services should attempt to reconnect in the > # event of a crash or restart before they give up > reconnection_retries = 3 > > # If a back end is particularly slow you can raise this timeout here > sbus_timeout = 30 > services = nss, pam, ssh, sudo > > domains = l.infotechpsp.net > [nss] > > > [pam] > +++++++ > in file nsswitch.conf > add sudoers: files sss > > and log file /var/log/sss/sss_l..... > +++++ > > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [be_resolve_server_process] (0x0200): Found address for server > ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ > ccache_L.INFOTECHPSP.NET], expired on [1443085132] > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] > (0x0100): Executing sasl bind mech: GSSAPI, user: host/ > ussd7rep.l.infotechpsp.net > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [child_sig_handler] (0x0100): child [12755] finished successfully. > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > ipasrv.l.infotechpsp.net' as 'working' > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [set_server_common_status] (0x0100): Marking server ' > ipasrv.l.infotechpsp.net' as 'working' > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with > base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= > ussd7rep.l.infotechpsp.net > )(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost= > 10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net > ]. > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base > [ou=sudoers,dc=l,dc=infotechpsp,dc=net] > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in > cache > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo > rules > +++++ > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Wed Sep 23 20:54:07 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 23 Sep 2015 22:54:07 +0200 Subject: [Freeipa-users] sssd public socket error In-Reply-To: <04d971afeace4bdeae8230f0f8244877@TCCCORPEXCH02.TCC.local> References: <04d971afeace4bdeae8230f0f8244877@TCCCORPEXCH02.TCC.local> Message-ID: <20150923205407.GO7272@hendrix.redhat.com> On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote: > On one of my servers I'm getting > > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session opened for user user by (uid=0) > Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has wrong ownership or permissions. > > Authentication still works but group name lookups fail on the server. > > Haven't been able to track down yet what config is different on this server and I can't find any information on this, anyone have any thoughts? The code is: 860 statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf); 861 if (statret != 0) { 862 ret = PAM_SERVICE_ERR; 863 goto out; 864 } 865 if ( ! (stat_buf.st_uid == 0 && 866 stat_buf.st_gid == 0 && 867 S_ISSOCK(stat_buf.st_mode) && 868 (stat_buf.st_mode & ~S_IFMT) == 0666 )) { 869 *errnop = ESSS_BAD_PUB_SOCKET; 870 ret = PAM_SERVICE_ERR; 871 goto out; 872 } 873 I would compare: ls -lR /var/lib/sss/pipes/ on a working or a non-working server. The public PAM socket (/var/lib/sss/pipes/pam) should be there and should have permission 0666. Also check AVC denials. From Andy.Thompson at e-tcc.com Wed Sep 23 21:56:10 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 23 Sep 2015 21:56:10 +0000 Subject: [Freeipa-users] IPA server failover Message-ID: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> I've got all of my environments setup with two IPA servers. I'm fighting intermittent problems with krb5kdc crashing on them in all of my environments and I've opened a ticket with Redhat on that. What I can't figure out though is why the clients will not fail over to the second functioning server in the domain My sssd.conf files are all pretty generic from the install with minimal modification to add a couple settings. [domain/mhbe.lin] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mhbe.lin id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = /etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services = nss, sudo, pam, ssh config_file_version = 2 domains = mhbe.lin [nss] default_shell = /bin/bash homedir_substring = /home debug_level = 7 [pam] [sudo] [autofs] [ssh] [pac] [ifp] I thought the _srv_ would force it to use dns and both servers are round robined when digging the _kerberos records from DNS. So I don't understand why it's not working Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From brian at interlinx.bc.ca Wed Sep 23 23:35:23 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Wed, 23 Sep 2015 19:35:23 -0400 Subject: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t Message-ID: <1443051323.7486.76.camel@interlinx.bc.ca> I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 asterisk at EXAMPLE.COM using: # ipa-getkeytab -s server.example.com -p asterisk -k /tmp/asterisk-krb5.keytab -e aes256-cts But when I try to use that keytab I get an error: # kinit -k -t /etc/asterisk/asterisk.keytab imap/linux.example.com at EXAMPLE.COM kinit: Generic preauthentication failure while getting initial credentials On the server I get the following error: Sep 23 19:30:39 server.example.com krb5kdc[28970](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxxxxx: NEEDED_PREAUTH: imap/linux.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required Any idea what is going on here? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From ftweedal at redhat.com Thu Sep 24 00:20:14 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 24 Sep 2015 10:20:14 +1000 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <56027BFB.2050801@jmips.co.uk> References: <56016D95.3080708@jmips.co.uk> <56025025.9080609@redhat.com> <20150923100357.GZ16937@dhcp-40-8.bne.redhat.com> <56027BFB.2050801@jmips.co.uk> Message-ID: <20150924002014.GE16937@dhcp-40-8.bne.redhat.com> On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: > > On 23/09/15 11:03, Fraser Tweedale wrote: > >On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > >>On 22/09/15 17:02, James Masson wrote: > >>> > >>>Hi, > >>> > >>>we're building IPAs in an automated fashion, for environments that get > >>>created and destroyed a lot. At the moment, the CA certs used inside > >>>these IPAs are self-signed, as part of the normal "ipa-server-install" > >>>setup process. > >>> > >>>We would like to switch to issuing signed intermediate CA certs to the > >>>IPAs we deploy. > >>> > >>>The documentation lists the two part process necessary for this. First > >>>"--external-ca" - and then "--external-cert-file" > >>> > >>>Are there any ways to skip this, and give the setup process a known > >>>public/private key+cert up front? I'm hoping to avoid the need to have > >>>to use/send this automatically generated CSR every time. > >>> > >>>thanks > >>> > >>>James M > >>> > >> > >>Hello James, > >>currently it's not possible but making installation with externally signed > >>CA single step sounds really useful to me. > >>Currently certmonger is generating the CSR for FreeIPA server in the first > >>step of installation. Certmonger is also able to send certificate to > >>external CA for signing. > >> > >>I'm not sure if we could combine these two cermonger's abilities right now > >>but if not it shouldn't be difficult to add functionality to certmonger to > >>send the CSR to preconfigured CA instead of just storing it in file. > >> > >>This would of course require configuring the certmonger with information > >>about the CA before FreeIPA server installation but it's just one command > >>(getcert-add-ca). > >> > >>Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? > >> > >There are two sides to this - one is using Certmonger for automatic > >signing of intermediate CA certificate to be used by IPA, the other > >is simply using a CA cert that the administrator already possesses, > >e.g. in a PKCS #12 file. These should be separate tickets. > > > >Cheers, > >Fraser > > > >>-- > >>David Kupka > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > Done - > > https://fedorahosted.org/freeipa/ticket/5317 > https://fedorahosted.org/freeipa/ticket/5318 > > Would it be possible to use Certmonger to help the 2 step process used at > the moment? > > ie. run 'ipa-server-install' the first time - get the CSR > use local Certmonger to handle the CSR submission to upstream CA > use the resulting Cert in the second 'ipa-server-install' > > Any pointers? > > regards > > James M > I don't see an option for certmonger to use an existing CSR but you could ask it to create and track a new CSR for the same key. See getcert-request(1) for full details. Cheers, Fraser > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Thu Sep 24 05:17:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 24 Sep 2015 08:17:26 +0300 Subject: [Freeipa-users] IPA server failover In-Reply-To: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> Message-ID: <20150924051726.GC7201@redhat.com> On Wed, 23 Sep 2015, Andy Thompson wrote: >I've got all of my environments setup with two IPA servers. I'm >fighting intermittent problems with krb5kdc crashing on them in all of >my environments and I've opened a ticket with Redhat on that. What I >can't figure out though is why the clients will not fail over to the >second functioning server in the domain > >My sssd.conf files are all pretty generic from the install with minimal >modification to add a couple settings. > >[domain/mhbe.lin] > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = mhbe.lin >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = mdhixproddb01.mhbe.lin >chpass_provider = ipa >ipa_server = _srv_, mdhixprodipa01.mhbe.lin >ldap_tls_cacert = /etc/ipa/ca.crt >[sssd] >default_domain_suffix = mhbe.local >services = nss, sudo, pam, ssh >config_file_version = 2 > >domains = mhbe.lin >[nss] >default_shell = /bin/bash >homedir_substring = /home >debug_level = 7 >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > >I thought the _srv_ would force it to use dns and both servers are >round robined when digging the _kerberos records from DNS. So I don't >understand why it's not working ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using /etc/krb5.conf for hints where to find KDCs. A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = ' for specific realm would cause Kerberos clients to do DNS discovery using SRV records. If multiple 'kdc = ...' values are specified in the realm definition, Kerberos clients will fall over to the next one in the list in case of a failure. When ipa-client-install is run, we configure krb5.conf without explicit KDCs if DNS discovery of Kerberos was successful which should take care of SRV record-based discovery of KDCs. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Sep 24 05:23:57 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 24 Sep 2015 08:23:57 +0300 Subject: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t In-Reply-To: <1443051323.7486.76.camel@interlinx.bc.ca> References: <1443051323.7486.76.camel@interlinx.bc.ca> Message-ID: <20150924052357.GD7201@redhat.com> On Wed, 23 Sep 2015, Brian J. Murrell wrote: >I've put a kerberos principle into a keytab: > ># klist -k asterisk.keytab >Keytab name: FILE:asterisk.keytab >KVNO Principal >---- -------------------------------------------------------------------------- > 8 asterisk at EXAMPLE.COM > >using: > ># ipa-getkeytab -s server.example.com -p asterisk -k /tmp/asterisk-krb5.keytab -e aes256-cts > >But when I try to use that keytab I get an error: > ># kinit -k -t /etc/asterisk/asterisk.keytab imap/linux.example.com at EXAMPLE.COM >kinit: Generic preauthentication failure while getting initial credentials > >On the server I get the following error: > >Sep 23 19:30:39 server.example.com krb5kdc[28970](info): AS_REQ (7 >etypes {18 17 16 23 1 3 2}) xxxxxx: NEEDED_PREAUTH: >imap/linux.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, >Additional pre-authentication required > >Any idea what is going on here? You need to explain what are you trying to achieve first. The sequence above: - Sets a random Kerberos key for a principal named asterisk at EXAMPLE.COM on IPA KDC and stores it to the local keytab file asterisk.keytab - tries to use a key for asterisk at EXAMPLE.COM to obtain ticket granting ticket as imap/linux.example.com at EXAMPE.COM Unless imap/linux.example.com at EXAMPLE.COM has exactly same Kerberos key as asterisk at EXAMPLE.COM, the above should fail and it does. -- / Alexander Bokovoy From canepa.n at mmfg.it Thu Sep 24 07:08:30 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 24 Sep 2015 09:08:30 +0200 Subject: [Freeipa-users] Problem with replica Message-ID: <5603A16E.6050802@mmfg.it> Hello, I'm trying to setup a partial replica of the LDAP tree stored in 389-ds by FreeIPA 4.1 (under CentOS 7), so that legacy systems have a local copy of the data needed to authenticate. Those systems have already OpenLDAP installed, so I 'm trying to enable syncrepl from DS to OL. I followed this ticket: https://fedorahosted.org/freeipa/ticket/3967 and I enabled the 2 plugins as indicated. When the slave starts and tries to sync, the ns-slapd process on FreeIPA server dies, with this in syslog: > kernel: ns-slapd[4801]: segfault at 0 ip 00007f0f041f2db6 sp > 00007f0ecc7f0f38 error 4 in libc-2.17.so[7f0f0416e000+1b6000] immediately (same second) followed by: > named[1974]: LDAP error: Can't contact LDAP server: ldap_sync_poll() > failed > named[1974]: ldap_syncrepl will reconnect in 60 seconds > systemd: dirsrv at XXX.service: main process exited, code=killed, > status=11/SEGV There is nothing in access or error log (found in /var/log/dirsrv/INSTANCE) at that second (last log is 30 seconds before the problem). Even if replica doesn't work, I think it shoundn't kill the daemon. The ldif used on the slave: > dn: olcDatabase={1}bdb,cn=config > changetype: modify > replace:olcSyncrepl > olcSyncrepl: rid=0001 > provider=ldap://AAA.TLD > type=refreshOnly > interval=00:1:00:00 > retry="5 5 300 +" > searchbase="YYY" > attrs="*,+" > bindmethod=simple > binddn="uid=XXX,cn=users,cn=accounts,dc=YYY" > credentials=ZZZ Nicola -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From lkrispen at redhat.com Thu Sep 24 07:33:40 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 24 Sep 2015 09:33:40 +0200 Subject: [Freeipa-users] Problem with replica In-Reply-To: <5603A16E.6050802@mmfg.it> References: <5603A16E.6050802@mmfg.it> Message-ID: <5603A754.10409@redhat.com> Hi, can you try to get a core dump: http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes and open a ticket for 389 DS: https://fedorahosted.org/389/newticket Ludwig On 09/24/2015 09:08 AM, Nicola Canepa wrote: > Hello, I'm trying to setup a partial replica of the LDAP tree stored > in 389-ds by FreeIPA 4.1 (under CentOS 7), so that legacy systems have > a local copy of the data needed to authenticate. > Those systems have already OpenLDAP installed, so I 'm trying to > enable syncrepl from DS to OL. > I followed this ticket: https://fedorahosted.org/freeipa/ticket/3967 > and I enabled the 2 plugins as indicated. > When the slave starts and tries to sync, the ns-slapd process on > FreeIPA server dies, with this in syslog: >> kernel: ns-slapd[4801]: segfault at 0 ip 00007f0f041f2db6 sp >> 00007f0ecc7f0f38 error 4 in libc-2.17.so[7f0f0416e000+1b6000] > immediately (same second) followed by: >> named[1974]: LDAP error: Can't contact LDAP server: ldap_sync_poll() >> failed >> named[1974]: ldap_syncrepl will reconnect in 60 seconds >> systemd: dirsrv at XXX.service: main process exited, code=killed, >> status=11/SEGV > > There is nothing in access or error log (found in > /var/log/dirsrv/INSTANCE) at that second (last log is 30 seconds > before the problem). > > Even if replica doesn't work, I think it shoundn't kill the daemon. > > > The ldif used on the slave: >> dn: olcDatabase={1}bdb,cn=config >> changetype: modify >> replace:olcSyncrepl >> olcSyncrepl: rid=0001 >> provider=ldap://AAA.TLD >> type=refreshOnly >> interval=00:1:00:00 >> retry="5 5 300 +" >> searchbase="YYY" >> attrs="*,+" >> bindmethod=simple >> binddn="uid=XXX,cn=users,cn=accounts,dc=YYY" >> credentials=ZZZ > > > Nicola > From mkosek at redhat.com Thu Sep 24 07:40:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Sep 2015 09:40:06 +0200 Subject: [Freeipa-users] User, keytab, password and ldap In-Reply-To: References: Message-ID: <5603A8D6.20007@redhat.com> On 09/23/2015 04:32 PM, bahan w wrote: > Hello ! > > I'm using IPA 3.0.0 and I have a problem with one of the user I created. > user3 > > I created this user with the command ipa user-add without specifying any > password. > Then I performed an ipa-getkeytab command with the -P option to have a > keytab and a password. > > When I check the ldap server with the following command, I cannot find any > "userpassword" field for this user. > ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p > > ### > # user3, users, accounts, myrealm > dn: uid=user3,cn=users,cn=accounts,dc=myrealm > displayName: user3 user3 > cn: user3 user3 > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > loginShell: /bin/sh > sn: user3 > gecos: user3 user3 > homeDirectory: /home/user3 > krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm > krbPrincipalName: user3 at MYREALM > givenName: user3 > uid: user3 > initials: uu > ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 > uidNumber: > gidNumber: > memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm > memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm > mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm > krbLastPwdChange: 20150923134438Z > krbPrincipalKey:: > krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== > krbLastSuccessfulAuth: 20150923120752Z > krbLastFailedAuth: 20150923132257Z > krbLoginFailedCount: 1 > ### > > Then, with an admin ticket, I performed an ipa passwd user3 and I set a one > time password. > Then I connected with user3 and he was able to change its one time password > into something else. > And when I retried the ldapsearch command, the field userpassword was there. > But the keytab is not working anymore. > > So here is my question : > How can I generate a user with a keytab, a password and the userpassword > field in the ldap ? I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys and the user password. So if you change password, existing keytab is invalidated. If you get a keytab, password is invalidated as random key is generated. > The ipa-getkeytab -P option allows me to have both keytab and the password, > but as the field userpassword is missing in the ldap, some other tools > using ldapbackend authentication does not work for this user. I assume this is not expected to work this way, but please let me CC Simo here, if there is a problem in processing the -P option. From mkosek at redhat.com Thu Sep 24 07:44:39 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Sep 2015 09:44:39 +0200 Subject: [Freeipa-users] When changing passwords gui displays Login screen is showing In-Reply-To: References: Message-ID: <5603A9E7.3020406@redhat.com> On 09/23/2015 05:27 PM, Andrew Holway wrote: > Hi, > > When a user changes their password the ipa gui briefly redirects to a login > page. The user often has an impulse to click on the login button which, on > occasion, can seem to cause a mess with the password change. > > Anyone else aware of this behaviour? > > ta > > Andrew Hi Andrew, I can see it too - good catch. I would suggest filing a new ticket at https://fedorahosted.org/freeipa/newticket if you would like to propose this UX improvement. From mkosek at redhat.com Thu Sep 24 07:57:19 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Sep 2015 09:57:19 +0200 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <56030613.3050308@gmail.com> References: <20150914064630.GP6168@redhat.com> <56030613.3050308@gmail.com> Message-ID: <5603ACDF.3070602@redhat.com> On 09/23/2015 10:05 PM, Janelle wrote: > On 9/13/15 11:46 PM, Alexander Bokovoy wrote: >> On Sun, 13 Sep 2015, Janelle wrote: >>> Hello, >>> >>> I read something recently that if ip v6 is disable on a server this >>> hurts performance in some way? Is there more info on this or did I >>> misread it? >> Do not disable IPv6 stack on your machines. By disabling IPv6 you are >> not doing good. On contrary, many contemporary software projects are >> using IPv6-enabled network calls by default because both IPv6 and IPv4 >> share the same name space on the machine so you only need to listen on a >> IPv6 port to accept both IPv4 and IPv6. This is a recommended approach >> for networking applications' developers for years already. >> >> Note that this means only that support for IPv6 stack is enabled in the >> kernel. You are not required to go with IPv6 networking addresses, this >> is not really needed if you don't want to. But allowing applications to >> be IPv6 aware is required. >> >> FreeIPA has several components which are programmed in such way that >> they expect IPv6 stack to be enabled for reasons outlined above. If you >> disable IPv6 stack, FreeIPA will partially malfunction and will not >> really be in a supported state, especially when we are talking about >> trusts to Active Directory (and, in future, IPA to IPA trust). >> > BTW - I did re-enable IPv6 and was able to "clean ruv" all the "dead" entries, > which I had not been able to do before. Thank you for this. Hello Janelle, Thanks for confirmation! I added this knowledge to http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records as it is definitely not an obvious fix to resolve the RUV issue. Please feel very welcome to extend Troubleshooting guide if you have other advise that could help others speed up their RUV investigation - you have definitely a lot of experience with them. Thanks! Martin From mkosek at redhat.com Thu Sep 24 07:59:37 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Sep 2015 09:59:37 +0200 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: References: <56028065.9060406@redhat.com> <5602C300.1020906@redhat.com> Message-ID: <5603AD69.1060209@redhat.com> Hello Michael, It is possible that this problem comes from obsolete package in the mkosek/freeipa COPR repo, which was fixed in Fedora/RHEL, but not there. Can you please try to update the 389-ds-base from https://copr.fedoraproject.org/coprs/mkosek/freeipa/ ? I rebuilt the latest F21 389-ds-base to the repo, there were some related fixes. Thanks, Martin On 09/23/2015 05:50 PM, Michael Lasevich wrote: > No difference. It is as if this setting is being overwritten somewhere deep > in 389ds, because the "error" log correctly reflects the changes, but the > actual process does not. (and yes, I verified that the process actually > shuts down and start up again when I restart it) > > ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" > # encryption, config > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > sslVersionMin: TLS1.0 > nsSSL3Ciphers: +all > allowWeakCipher: off > nsSSL3: off > nsSSL2: off > ... (skipping nssslenabledciphers's) ... > nsTLS1: on > sslVersionMax: TLS1.2 > > SLAPD error log got longer: > > SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 > [23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:28 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > [23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: > enabled > [23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting > up > > SSLScan Output: > > sslscan --no-failed localhost:636 > > ... > Supported Server Cipher(s): > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 128 bits DES-CBC3-SHA > Accepted TLSv1 128 bits RC4-SHA > Accepted TLSv1 128 bits RC4-MD5 > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 128 bits DES-CBC3-SHA > Accepted TLS11 128 bits RC4-SHA > Accepted TLS11 128 bits RC4-MD5 > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 128 bits DES-CBC3-SHA > Accepted TLS12 128 bits RC4-SHA > Accepted TLS12 128 bits RC4-MD5 > > > On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz > wrote: > >> >> On 09/23/2015 05:05 PM, Michael Lasevich wrote: >> >> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly >> to post completely non-IPA questions to this list...). >> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no >> matter what I do. >> >> I am running "CentOS Linux release 7.1.1503 (Core)" >> >> Relevant Packages: >> >> freeipa-server-4.1.4-1.el7.centos.x86_64 >> 389-ds-base-1.3.3.8-1.el7.centos.x86_64 >> nss-3.19.1-5.el7_1.x86_64 >> openssl-1.0.1e-42.el7.9.x86_64 >> >> LDAP setting (confirmed that in error.log there is no menition of RC4 in >> list of ciphers): >> >> nsSSL3Ciphers: >> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha >> >> with ipa the config entry should contain: >> >> dn: cn=encryption,cn=config >> allowWeakCipher: off >> nsSSL3Ciphers: +all >> >> could you try this setting >> >> Slapd "error" log showing no ciphersuites supporting RC4: >> >> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version >> range: min: TLS1.0, max: TLS1.2 >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not >> available in NSS 3.16. Ignoring fortezza >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite >> fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring >> fortezza_rc4_128_sha >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is >> not available in NSS 3.16. Ignoring fortezza_null >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_RSA_WITH_AES_128_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - SSL alert: >> TLS_RSA_WITH_AES_256_CBC_SHA: enabled >> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128 >> starting up >> >> But sslscan returns: >> >> $ sslscan --no-failed localhost:636 >> ... >> >> Supported Server Cipher(s): >> >> Accepted TLSv1 256 bits AES256-SHA >> Accepted TLSv1 128 bits AES128-SHA >> Accepted TLSv1 128 bits DES-CBC3-SHA >> Accepted TLSv1 128 bits RC4-SHA >> Accepted TLSv1 128 bits RC4-MD5 >> Accepted TLS11 256 bits AES256-SHA >> Accepted TLS11 128 bits AES128-SHA >> Accepted TLS11 128 bits DES-CBC3-SHA >> Accepted TLS11 128 bits RC4-SHA >> Accepted TLS11 128 bits RC4-MD5 >> Accepted TLS12 256 bits AES256-SHA256 >> Accepted TLS12 256 bits AES256-SHA >> Accepted TLS12 128 bits AES128-GCM-SHA256 >> Accepted TLS12 128 bits AES128-SHA256 >> Accepted TLS12 128 bits AES128-SHA >> Accepted TLS12 128 bits DES-CBC3-SHA >> Accepted TLS12 128 bits RC4-SHA >> Accepted TLS12 128 bits RC4-MD5 >> >> ... >> >> >> I would assume the sslscan is broken, but nmap and other scanners all >> confirm that RC4 is still on. >> >> -M >> >> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek wrote: >> >>> On 09/23/2015 11:00 AM, Michael Lasevich wrote: >>>> OK, this is most bizarre issue, >>>> >>>> I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) >>> and >>>> for the life of me cannot get it to work >>>> >>>> I have followed many nearly identical instructions to create ldif file >>> and >>>> change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple >>> enough - >>>> and I get it to take, and during the startup I can see the right SSL >>> Cipher >>>> Suites listed in errors.log - but when it starts and I probe it, RC4 >>>> ciphers are still there. I am completely confused. >>>> >>>> I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") >>>> and to old style cyphers lists(lowercase), and new style cypher >>>> lists(uppercase), and nothing seems to make any difference. >>>> >>>> Any ideas? >>>> >>>> -M >>> >>> Are you asking about standalone 389-DS or the one integrated in FreeIPA? >>> As >>> with currently supported versions of FreeIPA, RC4 ciphers should be >>> already >>> gone, AFAIK. >>> >>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687 >>> https://fedorahosted.org/freeipa/ticket/4653 >>> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > From pawel.fiuto at mixrad.io Thu Sep 24 08:40:28 2015 From: pawel.fiuto at mixrad.io (Pawel Fiuto) Date: Thu, 24 Sep 2015 08:40:28 +0000 Subject: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) In-Reply-To: <20150921194007.GD8415@redhat.com> References: <20150919164952.GB8415@redhat.com> , <20150921194007.GD8415@redhat.com> Message-ID: Unfortunately sudo package included in amzn linux does not work with sudo rules provided via SSS however it is in the feature requests list. To workaround this you can replace it with the CentOS one: http://mirror.centos.org/centos/6.7/os/x86_64/Packages/sudo-1.8.6p3-19.el6.x86_64.rpm ________________________________________ From: freeipa-users-bounces at redhat.com on behalf of Alexander Bokovoy Sent: 21 September 2015 20:40 To: Gustavo Mateus Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) On Mon, 21 Sep 2015, Gustavo Mateus wrote: >Hi Alexander, > >Thank you very much for your help. >Would it be possible for you to point me in the right direction on how to >integrate this with sudo rules? Please don't send emails personally unless asked to do that. Your problem can be tracked with public mailing list. >my sssd.conf looks like this: > >[sssd] >services = nss, pam, ssh, sudo >config_file_version = 2 >domains = default >re_expression = (?P.+) > >[domain/default] >cache_credentials = True >id_provider = ldap >auth_provider = ldap >ldap_uri = ldap://ipaserver.my.domain.com >ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com >ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt >ldap_user_ssh_public_key = ipaSshPubKey >sudo_provider = ldap >ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com >ldap_sudo_full_refresh_interval=86400 >ldap_sudo_smart_refresh_interval=3600 >debug_level=8 > >[ssh] > >[sudo] >debug_level=8 > > >and nsswitch.conf has this: > >sudoers: files sss > > > >My goal is to have freeipa as a replacement for the current openldap and >hope that amazon linux supports it fully in the future. While they don't >support it, I want to use as much as I can of centralized management that >freeipa+sssd provides. SSSD has own plugin for sudo integration that makes possible to cache sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which tries to talk to LDAP server directly. You need to understand what features are provided by Amazon Linux's sudo package. It may well be missing support for sudo plugins. I don't have access to Amazon Linux source code, thus I cannot check whether their sudo package supports external plugins. So even if your sssd version includes sudo plugin, it may probably be simply unused by your sssd version. Again, I have no idea how Amazon's Linux AMI is built, thus it may miss this capability. At this point I'd suggest you to investigate yourself and contact Amazon support for finding out exactly what is happening there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From tbordaz at redhat.com Thu Sep 24 09:08:34 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 24 Sep 2015 11:08:34 +0200 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: References: <55FBC2AB.7060302@redhat.com> <560137B0.3080904@redhat.com> Message-ID: <5603BD92.50108@redhat.com> Hello Hector, You actually hit https://fedorahosted.org/389/ticket/47976. I updated the ticket with your thread/data. This is a known deadlock with no fix yet. This problem seemed to be quite rare but you are hitting it quite frequently. Did you identify a test case for it ? How frequently does it happen ? thanks thierry On 09/23/2015 09:53 PM, HECTOR LOPEZ wrote: > Thierry, > > I here is a fresh pstack of ns-slapd after ipa user-del > hangs; the db_stat output follows. Also, killing ns-slapd restores > functionality to ipactl restart: > > sh-4.2# gstack 6134 > Thread 45 (Thread 0x7fa9ce4a4700 (LWP 6136)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d247e4a7 in deadlock_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 44 (Thread 0x7fa9cdca3700 (LWP 6137)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d2482576 in checkpoint_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 43 (Thread 0x7fa9cd4a2700 (LWP 6138)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d247e71f in trickle_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 42 (Thread 0x7fa9ccca1700 (LWP 6139)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d2479437 in perf_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 41 (Thread 0x7fa9c7fff700 (LWP 6140)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d68e164e in cos_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libcos-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 40 (Thread 0x7fa9c77fe700 (LWP 6141)): > #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 > #1 0x00007fa9d426247c in ipa_cldap_worker () from > /usr/lib64/dirsrv/plugins/libipa_cldap.so > #2 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #3 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 39 (Thread 0x7fa9c6ffd700 (LWP 6142)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 38 (Thread 0x7fa9c67fc700 (LWP 6143)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 37 (Thread 0x7fa9c5ffb700 (LWP 6144)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 36 (Thread 0x7fa9c57fa700 (LWP 6145)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9e0181a93 in housecleaning () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 35 (Thread 0x7fa9c4ff9700 (LWP 6146)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9dfc74188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 34 (Thread 0x7fa9b7fff700 (LWP 6148)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 33 (Thread 0x7fa9b77fe700 (LWP 6149)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 32 (Thread 0x7fa9b6ffd700 (LWP 6150)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 31 (Thread 0x7fa9b67fc700 (LWP 6151)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 30 (Thread 0x7fa9b5ffb700 (LWP 6152)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 29 (Thread 0x7fa9b57fa700 (LWP 6153)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 28 (Thread 0x7fa9b4ff9700 (LWP 6154)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 27 (Thread 0x7fa9b47f8700 (LWP 6155)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 26 (Thread 0x7fa9b3ff7700 (LWP 6156)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 25 (Thread 0x7fa9b37f6700 (LWP 6157)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 24 (Thread 0x7fa9b2ff5700 (LWP 6158)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 23 (Thread 0x7fa9b27f4700 (LWP 6159)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 22 (Thread 0x7fa9b1ff3700 (LWP 6160)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 21 (Thread 0x7fa9b17f2700 (LWP 6161)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 20 (Thread 0x7fa9b0ff1700 (LWP 6162)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 19 (Thread 0x7fa9b07f0700 (LWP 6163)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 18 (Thread 0x7fa9affef700 (LWP 6164)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 17 (Thread 0x7fa9af7ee700 (LWP 6165)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 16 (Thread 0x7fa9aefed700 (LWP 6166)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 15 (Thread 0x7fa9ae7ec700 (LWP 6167)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 14 (Thread 0x7fa9adfeb700 (LWP 6168)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 13 (Thread 0x7fa9ad7ea700 (LWP 6169)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 12 (Thread 0x7fa9acfe9700 (LWP 6170)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 11 (Thread 0x7fa9ac7e8700 (LWP 6171)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 10 (Thread 0x7fa9abfe7700 (LWP 6172)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 9 (Thread 0x7fa9ab7e6700 (LWP 6173)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9d860e2f3 in __db_hybrid_mutex_suspend () from > /lib64/libdb-5.3.so > #2 0x00007fa9d860d640 in __db_tas_mutex_lock () from > /lib64/libdb-5.3.so > #3 0x00007fa9d86b7cea in __lock_get_internal () from > /lib64/libdb-5.3.so > #4 0x00007fa9d86b87d0 in __lock_get () from /lib64/libdb-5.3.so > > #5 0x00007fa9d86e4112 in __db_lget () from /lib64/libdb-5.3.so > > #6 0x00007fa9d862b5f5 in __bam_search () from /lib64/libdb-5.3.so > > #7 0x00007fa9d8616256 in __bamc_search () from /lib64/libdb-5.3.so > > #8 0x00007fa9d8617d0f in __bamc_get () from /lib64/libdb-5.3.so > > #9 0x00007fa9d86d0c56 in __dbc_iget () from /lib64/libdb-5.3.so > > #10 0x00007fa9d86dd843 in __db_get () from /lib64/libdb-5.3.so > > #11 0x00007fa9d86e1123 in __db_get_pp () from /lib64/libdb-5.3.so > > #12 0x00007fa9d248949b in id2entry () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #13 0x00007fa9d24af7dd in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #14 0x00007fa9dfc60190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > #15 0x00007fa9dfc60342 in delete_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > #16 0x00007fa9d1da4739 in mep_del_post_op () from > /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so > #17 0x00007fa9dfcac280 in plugin_call_func () from > /usr/lib64/dirsrv/libslapd.so.0 > #18 0x00007fa9dfcac4d8 in plugin_call_plugins () from > /usr/lib64/dirsrv/libslapd.so.0 > #19 0x00007fa9d24ae42e in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #20 0x00007fa9dfc60190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > #21 0x00007fa9dfc60453 in do_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > #22 0x00007fa9e017a37e in connection_threadmain () > #23 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #24 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #25 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 8 (Thread 0x7fa9aafe5700 (LWP 6174)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 7 (Thread 0x7fa9aa7e4700 (LWP 6175)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 6 (Thread 0x7fa9a9fe3700 (LWP 6176)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 5 (Thread 0x7fa9a97e2700 (LWP 6177)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 4 (Thread 0x7fa9a8fe1700 (LWP 6178)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9e017b2c5 in time_thread () > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fa93bfff700 (LWP 6220)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9d66d6374 in sync_send_results () from > /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fa93b7fe700 (LWP 6514)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e0185c85 in ps_send_results () > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fa9e0142840 (LWP 6134)): > #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 > #1 0x00007fa9de098967 in _pr_poll_with_poll () from /lib64/libnspr4.so > #2 0x00007fa9e017df59 in slapd_daemon () > #3 0x00007fa9e017117c in main () > > here is the db_stat: > > Default locking region information: > 902 Last allocated locker ID > 0x7fffffff Current maximum unused locker ID > 9 Number of lock modes > 200 Initial number of locks allocated > 0 Initial number of lockers allocated > 200 Initial number of lock objects allocated > 10000 Maximum number of locks possible > 10000 Maximum number of lockers possible > 10000 Maximum number of lock objects possible > 390 Current number of locks allocated > 188 Current number of lockers allocated > 250 Current number of lock objects allocated > 40 Number of lock object partitions > 8191 Size of object hash table > 314 Number of current locks > 338 Maximum number of locks at any one time > 4 Maximum number of locks in any one bucket > 457 Maximum number of locks stolen by for an empty partition > 23 Maximum number of locks stolen for any one partition > 160 Number of current lockers > 162 Maximum number of lockers at any one time > 216 Number of current lock objects > 224 Maximum number of lock objects at any one time > 2 Maximum number of lock objects in any one bucket > 68 Maximum number of objects stolen by for an empty partition > 7 Maximum number of objects stolen for any one partition > 1547826 Total number of locks requested > 1546707 Total number of locks released > 0 Total number of locks upgraded > 74 Total number of locks downgraded > 38 Lock requests not available due to conflicts, for which we waited > 54 Lock requests not available due to conflicts, for which we did > not wait > 0 Number of deadlocks > 0 Lock timeout value > 0 Number of locks that have timed out > 0 Transaction timeout value > 0 Number of transactions that have timed out > 2MB 304KB Region size > 14 The number of partition locks that required waiting (0%) > 9 The maximum number of times any partition lock was waited for (0%) > 0 The number of object queue operations that required waiting (0%) > 1 The number of locker allocations that required waiting (0%) > 2 The number of region locks that required waiting (0%) > 3 Maximum hash bucket length > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock REGINFO information: > Environment Region type > 1 Region ID > /var/lib/dirsrv/slapd-/db/__db.001 Region name > 0x7fdb35b3d000 Region address > 0x7fdb35b3d0a0 Region allocation head > 0x7fdb35b452b0 Region primary address > 0 Region maximum allocation > 0 Region allocated > Region allocations: 31186 allocations, 0 failures, 30915 frees, 3 longest > Allocations by power-of-two sizes: > 1KB 31169 > 2KB 3 > 4KB 6 > 8KB 5 > 16KB 0 > 32KB 1 > 64KB 0 > 128KB 0 > 256KB 2 > 512KB 0 > 1024KB 1 > REGION_SHARED Region flags > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock region parameters: > 2 Lock region region mutex [2/487136 0% !Own] > 16381 locker table size > 8191 object table size > 34128 obj_off > 889656 locker_off > 0 need_dd > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock conflict matrix: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Locks grouped by lockers: > Locker Mode Count Status ----------------- Object --------------- > 2 dd=158 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2 READ 1 HELD userRoot/id2entry.db handle 0 > 3 dd=157 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 4 dd=156 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4 READ 1 HELD ipaca/id2entry.db handle 0 > 5 dd=155 locks held 0 write locks 0 pid/thread > 6134/140366787315456 flags 0 priority 100 > 6 dd=154 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 6 READ 1 HELD ipaca/entryrdn.db handle 0 > 7 dd=153 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 8 dd=152 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 9 dd=151 locks held 0 write locks 0 pid/thread > 6134/140366694995712 flags 0 priority 100 > a dd=150 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db > handle 0 > c dd=149 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > c READ 1 HELD > ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 > d dd=148 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > d READ 1 HELD > ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 > e dd=147 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > e READ 1 HELD > ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 > 15 dd=146 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db > handle 0 > 16 dd=145 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 16 READ 1 HELD > ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 > 17 dd=144 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 17 READ 1 HELD > ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 > 18 dd=143 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db > handle 0 > 1d dd=142 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db > handle 0 > 1e dd=141 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 1e READ 1 HELD > ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 > 21 dd=140 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db > handle 0 > 22 dd=139 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db > handle 0 > 23 dd=138 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 23 READ 1 HELD > ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 > 2c dd=137 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2c READ 1 HELD changelog/id2entry.db handle 0 > 2d dd=136 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 2e dd=135 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2e READ 1 HELD changelog/entryusn.db handle 0 > 2f dd=134 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 30 dd=133 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 30 READ 1 HELD userRoot/entryusn.db handle 0 > 31 dd=132 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 32 dd=131 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 32 READ 1 HELD ipaca/entryusn.db handle 0 > 33 dd=130 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 34 dd=129 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 34 READ 1 HELD userRoot/entryrdn.db handle 0 > 35 dd=128 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 36 dd=127 locks held 0 write locks 0 pid/thread > 6134/140366703388416 flags 0 priority 100 > 36 READ 1 WAIT userRoot/id2entry.db page 2 > 37 dd=126 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 38 dd=125 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 38 READ 1 HELD userRoot/objectclass.db handle 0 > 39 dd=124 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 3a dd=123 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 3a READ 1 HELD userRoot/ancestorid.db handle 0 > 3b dd=122 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 3c dd=121 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 3c READ 1 HELD changelog/entryrdn.db handle 0 > 3d dd=120 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 3e dd=119 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 3f dd=118 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 40 dd=117 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 40 READ 1 HELD changelog/objectclass.db handle 0 > 41 dd=116 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 42 dd=115 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 43 dd=114 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > 43 READ 1 WAIT userRoot/objectclass.db page 2 > 44 dd=113 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 44 READ 1 HELD ipaca/objectclass.db handle 0 > 45 dd=112 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 46 dd=111 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 47 dd=110 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 47 READ 1 HELD changelog/aci.db handle 0 > 48 dd=109 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 49 dd=108 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 49 READ 1 HELD userRoot/aci.db handle 0 > 4a dd=107 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 4b dd=106 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 4c dd=105 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > 4d dd=104 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4d READ 1 HELD ipaca/aci.db handle 0 > 4e dd=103 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 4f dd=102 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4f READ 1 HELD userRoot/parentid.db handle 0 > 50 dd=101 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 51 dd=100 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 52 dd=99 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 52 READ 1 HELD changelog/nsuniqueid.db handle 0 > 53 dd=98 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 53 READ 1 HELD changelog/changenumber.db handle 0 > 54 dd=97 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 55 dd=96 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 56 dd=95 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 56 READ 1 HELD changelog/targetuniqueid.db > handle 0 > 57 dd=94 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 57 READ 1 HELD changelog/parentid.db handle 0 > 58 dd=93 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 58 READ 1 HELD changelog/ancestorid.db handle 0 > 59 dd=92 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 59 READ 1 HELD changelog/numsubordinates.db > handle 0 > 5a dd=91 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 5b dd=90 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 5c dd=89 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 5d dd=88 locks held 1 write locks 0 pid/thread > 6134/140366812493568 flags 10 priority 100 > 5d READ 1 HELD userRoot/krbPrincipalName.db > handle 0 > 5e dd=87 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 5f dd=86 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 60 dd=85 locks held 0 write locks 0 pid/thread > 6134/140366804100864 flags 0 priority 100 > 61 dd=84 locks held 1 write locks 0 pid/thread > 6134/140366694995712 flags 10 priority 100 > 61 READ 1 HELD userRoot/ipakrbprincipalalias.db > handle 0 > 62 dd=83 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 63 dd=82 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 64 dd=81 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 64 READ 1 HELD changelog/seeAlso.db handle 0 > 65 dd=80 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 66 dd=79 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 66 READ 1 HELD userRoot/seeAlso.db handle 0 > 67 dd=78 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 68 dd=77 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 68 READ 1 HELD ipaca/seeAlso.db handle 0 > 69 dd=76 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 6a dd=75 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6b dd=74 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6c dd=73 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6d dd=72 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 6e dd=71 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 6f dd=70 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 70 dd=69 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 71 dd=68 locks held 1 write locks 0 pid/thread > 6134/140366669817600 flags 10 priority 100 > 71 READ 1 HELD ipaca/certstatus.db handle 0 > 72 dd=67 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 73 dd=66 locks held 0 write locks 0 pid/thread > 6134/140366871242496 flags 0 priority 100 > 74 dd=65 locks held 0 write locks 0 pid/thread > 6134/140366871242496 flags 0 priority 100 > 75 dd=64 locks held 1 write locks 0 pid/thread > 6134/140366812493568 flags 10 priority 100 > 75 READ 1 HELD ipaca/cn.db handle 0 > 76 dd=63 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 77 dd=62 locks held 1 write locks 0 pid/thread > 6134/140366745351936 flags 10 priority 100 > 77 READ 1 HELD ipaca/requeststate.db handle 0 > 78 dd=61 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 79 dd=60 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 79 READ 1 HELD userRoot/gidnumber.db handle 0 > 7a dd=59 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 7b dd=58 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 7b READ 1 HELD userRoot/uidnumber.db handle 0 > 7c dd=57 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 7d dd=56 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 > 7e dd=55 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7e READ 1 HELD userRoot/numsubordinates.db > handle 0 > 7f dd=54 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7f READ 1 HELD userRoot/member.db handle 0 > 80 dd=53 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 80 READ 1 HELD userRoot/uniquemember.db handle 0 > 81 dd=52 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 81 READ 1 HELD userRoot/owner.db handle 0 > 82 dd=51 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 82 READ 1 HELD userRoot/manager.db handle 0 > 83 dd=50 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 83 READ 1 HELD userRoot/secretary.db handle 0 > 84 dd=49 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 84 READ 1 HELD userRoot/memberUser.db handle 0 > 85 dd=48 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 85 READ 1 HELD userRoot/memberHost.db handle 0 > 86 dd=47 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 86 READ 1 HELD userRoot/sourcehost.db handle 0 > 87 dd=46 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 87 READ 1 HELD userRoot/memberservice.db handle 0 > 88 dd=45 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 88 READ 1 HELD userRoot/managedby.db handle 0 > 89 dd=44 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 89 READ 1 HELD userRoot/memberallowcmd.db > handle 0 > 8a dd=43 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 > 8b dd=42 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 > 8c dd=41 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8c READ 1 HELD userRoot/ipasudorunasgroup.db > handle 0 > 8d dd=40 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db > handle 0 > 8e dd=39 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8e READ 1 HELD userRoot/ipaassignedidview.db > handle 0 > 8f dd=38 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 90 dd=37 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 91 dd=36 locks held 1 write locks 0 pid/thread > 6134/140366736959232 flags 10 priority 100 > 91 READ 1 HELD userRoot/uid.db handle 0 > 92 dd=35 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 94 dd=34 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 95 dd=33 locks held 0 write locks 0 pid/thread > 6134/140366711781120 flags 0 priority 100 > 97 dd=32 locks held 1 write locks 0 pid/thread > 6134/140366711781120 flags 10 priority 100 > 97 READ 1 HELD userRoot/memberuid.db handle 0 > 98 dd=31 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > 99 dd=30 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 9a dd=29 locks held 1 write locks 0 pid/thread > 6134/140366728566528 flags 10 priority 100 > 9a READ 1 HELD userRoot/cn.db handle 0 > 9b dd=28 locks held 0 write locks 0 pid/thread > 6134/140366846064384 flags 0 priority 100 > 9c dd=27 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > 9d dd=26 locks held 0 write locks 0 pid/thread > 6134/140366787315456 flags 0 priority 100 > 9f dd=25 locks held 0 write locks 0 pid/thread > 6134/140366678210304 flags 0 priority 100 > a0 dd=24 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > a1 dd=23 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > a2 dd=22 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > a4 dd=21 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > da dd=20 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > db dd=19 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > dc dd=18 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > dd dd=17 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > 26a dd=16 locks held 0 write locks 0 pid/thread > 6134/140366913206016 flags 0 priority 100 > 274 dd=15 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 275 dd=14 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 276 dd=13 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 277 dd=12 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 37c dd=11 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37d dd=10 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37e dd= 9 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37f dd= 8 locks held 1 write locks 0 pid/thread > 6134/140366854457088 flags 10 priority 100 > 37f READ 1 HELD userRoot/memberOf.db handle 0 > 380 dd= 7 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 381 dd= 5 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 381 READ 1 HELD userRoot/displayname.db handle 0 > 382 dd= 4 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 382 READ 1 HELD userRoot/sn.db handle 0 > 383 dd= 3 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 383 READ 1 HELD userRoot/mail.db handle 0 > 384 dd= 2 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 384 READ 1 HELD userRoot/givenName.db handle 0 > 385 dd= 1 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 > 386 dd= 0 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 > 80003201 dd= 6 locks held 234 write locks 110 pid/thread > 6134/140366703388416 flags 0 priority 100 > 80003201 READ 1 HELD userRoot/ipaassignedidview.db > page 1 > 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db > page 1 > 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db > page 1 > 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 > 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 > 80003201 READ 1 HELD userRoot/memberallowcmd.db > page 1 > 80003201 READ 1 HELD userRoot/managedby.db page 4 > 80003201 READ 1 HELD userRoot/memberservice.db page 1 > 80003201 READ 1 HELD userRoot/sourcehost.db page 1 > 80003201 READ 1 HELD userRoot/memberHost.db page 1 > 80003201 READ 1 HELD userRoot/memberUser.db page 1 > 80003201 READ 1 HELD userRoot/secretary.db page 1 > 80003201 READ 1 HELD userRoot/manager.db page 1 > 80003201 READ 1 HELD userRoot/seeAlso.db page 1 > 80003201 READ 1 HELD userRoot/owner.db page 1 > 80003201 READ 1 HELD userRoot/uniquemember.db page 1 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 > 80003201 WRITE 2 HELD userRoot/member.db page 110 > 80003201 READ 1 HELD userRoot/member.db page 3 > 80003201 WRITE 2 HELD userRoot/member.db page 3 > 80003201 READ 1 HELD userRoot/member.db page 59 > 80003201 WRITE 2 HELD userRoot/member.db page 59 > 80003201 READ 1 HELD userRoot/memberOf.db page 4 > 80003201 READ 3 HELD userRoot/member.db page 110 > 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 > 80003201 READ 6 HELD changelog/entryrdn.db page 51 > 80003201 READ 4 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/id2entry.db page 661 > 80003201 WRITE 6 HELD changelog/objectclass.db page 1 > 80003201 WRITE 2 HELD changelog/targetuniqueid.db > page 45 > 80003201 WRITE 2 HELD changelog/changenumber.db page 2 > 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 > 80003201 WRITE 2 HELD changelog/parentid.db page 1 > 80003201 WRITE 2 HELD changelog/entryusn.db page 5 > 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 > 80003201 WRITE 2 HELD changelog/id2entry.db page 2 > 80003201 WRITE 2 HELD changelog/numsubordinates.db > page 1 > 80003201 WRITE 1 HELD userRoot/numsubordinates.db > page 1 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 > 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 > 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 > 80003201 READ 1 HELD userRoot/entryrdn.db page 68 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 > 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 > 80003201 READ 2 HELD userRoot/ancestorid.db page 3 > 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 > 80003201 READ 1 HELD userRoot/ancestorid.db page 4 > 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 > 80003201 READ 1 HELD userRoot/memberOf.db page 12 > 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 > 80003201 READ 2 HELD userRoot/entryusn.db page 8 > 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 > 80003201 READ 1 HELD userRoot/uidnumber.db page 4 > 80003201 WRITE 3 HELD userRoot/parentid.db page 1 > 80003201 READ 1 HELD userRoot/parentid.db page 1 > 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 > 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 > 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 > 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 > 80003201 WRITE 2 HELD userRoot/uid.db page 21 > 80003201 READ 1 HELD userRoot/uid.db page 21 > 80003201 WRITE 2 HELD userRoot/uid.db page 12 > 80003201 READ 1 HELD userRoot/uid.db page 12 > 80003201 WRITE 2 HELD userRoot/uid.db page 16 > 80003201 READ 1 HELD userRoot/uid.db page 16 > 80003201 WRITE 2 HELD userRoot/uid.db page 15 > 80003201 READ 1 HELD userRoot/uid.db page 15 > 80003201 WRITE 2 HELD userRoot/uid.db page 4 > 80003201 READ 1 HELD userRoot/uid.db page 4 > 80003201 WRITE 2 HELD userRoot/uid.db page 9 > 80003201 READ 1 HELD userRoot/uid.db page 9 > 80003201 WRITE 2 HELD userRoot/uid.db page 19 > 80003201 READ 1 HELD userRoot/uid.db page 19 > 80003201 WRITE 2 HELD userRoot/givenName.db page 27 > 80003201 READ 1 HELD userRoot/givenName.db page 27 > 80003201 WRITE 2 HELD userRoot/givenName.db page 3 > 80003201 READ 1 HELD userRoot/givenName.db page 3 > 80003201 WRITE 2 HELD userRoot/givenName.db page 22 > 80003201 READ 1 HELD userRoot/givenName.db page 22 > 80003201 WRITE 2 HELD userRoot/givenName.db page 11 > 80003201 READ 1 HELD userRoot/givenName.db page 11 > 80003201 WRITE 2 HELD userRoot/givenName.db page 17 > 80003201 READ 1 HELD userRoot/givenName.db page 17 > 80003201 WRITE 2 HELD userRoot/givenName.db page 15 > 80003201 READ 1 HELD userRoot/givenName.db page 15 > 80003201 WRITE 2 HELD userRoot/givenName.db page 16 > 80003201 READ 1 HELD userRoot/givenName.db page 16 > 80003201 WRITE 2 HELD userRoot/givenName.db page 25 > 80003201 READ 1 HELD userRoot/givenName.db page 25 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 11 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 11 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 10 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 10 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db > page 15 > 80003201 READ 3 HELD userRoot/krbPrincipalName.db > page 15 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 80 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 80 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 81 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 81 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 79 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 79 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 38 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 38 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 47 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 47 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 84 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 84 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 39 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 39 > 80003201 WRITE 2 HELD userRoot/mail.db page 42 > 80003201 READ 1 HELD userRoot/mail.db page 42 > 80003201 WRITE 2 HELD userRoot/mail.db page 12 > 80003201 READ 1 HELD userRoot/mail.db page 12 > 80003201 WRITE 2 HELD userRoot/mail.db page 2 > 80003201 READ 1 HELD userRoot/mail.db page 2 > 80003201 WRITE 2 HELD userRoot/mail.db page 67 > 80003201 READ 1 HELD userRoot/mail.db page 67 > 80003201 WRITE 2 HELD userRoot/mail.db page 25 > 80003201 READ 1 HELD userRoot/mail.db page 25 > 80003201 WRITE 2 HELD userRoot/mail.db page 41 > 80003201 READ 1 HELD userRoot/mail.db page 41 > 80003201 WRITE 2 HELD userRoot/mail.db page 35 > 80003201 READ 1 HELD userRoot/mail.db page 35 > 80003201 WRITE 2 HELD userRoot/mail.db page 74 > 80003201 READ 1 HELD userRoot/mail.db page 74 > 80003201 WRITE 2 HELD userRoot/mail.db page 40 > 80003201 READ 1 HELD userRoot/mail.db page 40 > 80003201 WRITE 2 HELD userRoot/mail.db page 9 > 80003201 READ 1 HELD userRoot/mail.db page 9 > 80003201 WRITE 2 HELD userRoot/mail.db page 75 > 80003201 READ 1 HELD userRoot/mail.db page 75 > 80003201 WRITE 2 HELD userRoot/mail.db page 43 > 80003201 READ 1 HELD userRoot/mail.db page 43 > 80003201 WRITE 2 HELD userRoot/mail.db page 27 > 80003201 READ 1 HELD userRoot/mail.db page 27 > 80003201 WRITE 2 HELD userRoot/mail.db page 10 > 80003201 READ 1 HELD userRoot/mail.db page 10 > 80003201 WRITE 2 HELD userRoot/mail.db page 72 > 80003201 READ 1 HELD userRoot/mail.db page 72 > 80003201 WRITE 2 HELD userRoot/sn.db page 9 > 80003201 READ 1 HELD userRoot/sn.db page 9 > 80003201 WRITE 2 HELD userRoot/sn.db page 3 > 80003201 READ 1 HELD userRoot/sn.db page 3 > 80003201 WRITE 2 HELD userRoot/sn.db page 5 > 80003201 READ 1 HELD userRoot/sn.db page 5 > 80003201 WRITE 2 HELD userRoot/sn.db page 25 > 80003201 READ 1 HELD userRoot/sn.db page 25 > 80003201 WRITE 2 HELD userRoot/sn.db page 6 > 80003201 READ 1 HELD userRoot/sn.db page 6 > 80003201 WRITE 4 HELD userRoot/sn.db page 29 > 80003201 READ 2 HELD userRoot/sn.db page 29 > 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 > 80003201 READ 1 HELD userRoot/gidnumber.db page 2 > 80003201 WRITE 26 HELD userRoot/displayname.db page 1 > 80003201 READ 13 HELD userRoot/displayname.db page 1 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 > 80003201 READ 1 HELD userRoot/objectclass.db page 16 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 > 80003201 READ 1 HELD userRoot/objectclass.db page 9 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 > 80003201 READ 1 HELD userRoot/objectclass.db page 15 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 > 80003201 READ 1 HELD userRoot/objectclass.db page 18 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 > 80003201 READ 2 HELD userRoot/objectclass.db page 2 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 > 80003201 READ 2 HELD userRoot/objectclass.db page 8 > 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 > 80003201 READ 21 HELD userRoot/objectclass.db page 19 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 > 80003201 READ 2 HELD userRoot/objectclass.db page 3 > 80003201 WRITE 2 HELD userRoot/cn.db page 28 > 80003201 READ 1 HELD userRoot/cn.db page 28 > 80003201 WRITE 2 HELD userRoot/cn.db page 81 > 80003201 READ 1 HELD userRoot/cn.db page 81 > 80003201 WRITE 2 HELD userRoot/cn.db page 21 > 80003201 READ 1 HELD userRoot/cn.db page 21 > 80003201 WRITE 2 HELD userRoot/cn.db page 32 > 80003201 READ 1 HELD userRoot/cn.db page 32 > 80003201 WRITE 2 HELD userRoot/cn.db page 2 > 80003201 READ 1 HELD userRoot/cn.db page 2 > 80003201 WRITE 2 HELD userRoot/cn.db page 4 > 80003201 READ 1 HELD userRoot/cn.db page 4 > 80003201 WRITE 2 HELD userRoot/cn.db page 52 > 80003201 READ 1 HELD userRoot/cn.db page 52 > 80003201 WRITE 2 HELD userRoot/cn.db page 53 > 80003201 READ 1 HELD userRoot/cn.db page 53 > 80003201 WRITE 2 HELD userRoot/cn.db page 44 > 80003201 READ 1 HELD userRoot/cn.db page 44 > 80003201 WRITE 2 HELD userRoot/cn.db page 26 > 80003201 READ 1 HELD userRoot/cn.db page 26 > 80003201 WRITE 2 HELD userRoot/cn.db page 67 > 80003201 READ 1 HELD userRoot/cn.db page 67 > 80003201 WRITE 2 HELD userRoot/cn.db page 16 > 80003201 READ 1 HELD userRoot/cn.db page 16 > 80003201 WRITE 2 HELD userRoot/cn.db page 15 > 80003201 READ 1 HELD userRoot/cn.db page 15 > 80003201 WRITE 2 HELD userRoot/cn.db page 78 > 80003201 READ 1 HELD userRoot/cn.db page 78 > 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 > 80003201 READ 1 HELD userRoot/id2entry.db page 3 > 80003201 READ 1 HELD userRoot/entryrdn.db page 19 > 80003201 READ 1 HELD userRoot/id2entry.db page 8 > 80003201 READ 3 HELD userRoot/entryrdn.db page 69 > 80003201 READ 1 HELD userRoot/entryrdn.db page 4 > 80003201 READ 1 HELD userRoot/id2entry.db page 20 > 80003201 READ 10 HELD userRoot/entryrdn.db page 3 > 80003201 READ 1 HELD userRoot/id2entry.db page 5 > 80003201 READ 3 HELD userRoot/entryrdn.db page 23 > 80003201 READ 3 HELD userRoot/entryrdn.db page 28 > 80003201 READ 2 HELD userRoot/entryrdn.db page 9 > 80003201 READ 1 HELD userRoot/id2entry.db page 66 > 80003201 READ 5 HELD userRoot/entryrdn.db page 6 > 80003201 READ 5 HELD userRoot/entryrdn.db page 20 > 80003201 READ 10 HELD userRoot/entryrdn.db page 40 > 80003201 READ 14 HELD userRoot/entryrdn.db page 41 > 80003231 dd=4294967295 locks held 4 write locks 0 pid/thread > 6134/140366703388416 flags 0 priority 100 > 80003231 READ 1 HELD userRoot/id2entry.db page 1420 > 80003231 READ 2 HELD userRoot/entryrdn.db page 3 > 80003231 READ 1 HELD userRoot/entryrdn.db page 40 > 80003231 READ 1 HELD userRoot/entryrdn.db page 41 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Locks grouped by object: > Locker Mode Count Status ----------------- Object --------------- > 49 READ 1 HELD userRoot/aci.db handle 0 > > 61 READ 1 HELD userRoot/ipakrbprincipalalias.db > handle 0 > > 80003201 READ 1 HELD userRoot/seeAlso.db page 1 > > 66 READ 1 HELD userRoot/seeAlso.db handle 0 > > 75 READ 1 HELD ipaca/cn.db handle 0 > > 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db > handle 0 > > 89 READ 1 HELD userRoot/memberallowcmd.db > handle 0 > > 80003201 READ 1 HELD userRoot/memberallowcmd.db > page 1 > > 82 READ 1 HELD userRoot/manager.db handle 0 > > 80003201 READ 1 HELD userRoot/manager.db page 1 > > 56 READ 1 HELD changelog/targetuniqueid.db > handle 0 > > 80003201 WRITE 2 HELD changelog/targetuniqueid.db > page 45 > > 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db > handle 0 > > 83 READ 1 HELD userRoot/secretary.db handle 0 > > 80003201 READ 1 HELD userRoot/secretary.db page 1 > > 7b READ 1 HELD userRoot/uidnumber.db handle 0 > > 80003201 READ 1 HELD userRoot/uidnumber.db page 4 > 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 > > 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 > > 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 > > 58 READ 1 HELD changelog/ancestorid.db handle 0 > > 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 > > 6 READ 1 HELD ipaca/entryrdn.db handle 0 > > 80003201 READ 1 HELD userRoot/cn.db page 67 > 80003201 WRITE 2 HELD userRoot/cn.db page 67 > > 80003201 READ 1 HELD userRoot/cn.db page 78 > 80003201 WRITE 2 HELD userRoot/cn.db page 78 > > 80003201 READ 1 HELD userRoot/cn.db page 81 > 80003201 WRITE 2 HELD userRoot/cn.db page 81 > > 381 READ 1 HELD userRoot/displayname.db handle 0 > > 80003201 READ 13 HELD userRoot/displayname.db page 1 > 80003201 WRITE 26 HELD userRoot/displayname.db page 1 > > 80003201 READ 1 HELD userRoot/cn.db page 32 > 80003201 WRITE 2 HELD userRoot/cn.db page 32 > > 80003201 READ 1 HELD userRoot/cn.db page 44 > 80003201 WRITE 2 HELD userRoot/cn.db page 44 > > 80003201 READ 1 HELD userRoot/cn.db page 52 > 80003201 WRITE 2 HELD userRoot/cn.db page 52 > > 80003201 READ 1 HELD userRoot/cn.db page 53 > 80003201 WRITE 2 HELD userRoot/cn.db page 53 > > 80003201 READ 1 HELD userRoot/cn.db page 4 > 80003201 WRITE 2 HELD userRoot/cn.db page 4 > > 80003201 READ 1 HELD userRoot/cn.db page 2 > 80003201 WRITE 2 HELD userRoot/cn.db page 2 > > 9a READ 1 HELD userRoot/cn.db handle 0 > > 80003201 READ 1 HELD userRoot/cn.db page 15 > 80003201 WRITE 2 HELD userRoot/cn.db page 15 > > 80003201 READ 1 HELD userRoot/cn.db page 21 > 80003201 WRITE 2 HELD userRoot/cn.db page 21 > > 80003201 READ 1 HELD userRoot/cn.db page 16 > 80003201 WRITE 2 HELD userRoot/cn.db page 16 > > 80003201 READ 1 HELD userRoot/cn.db page 28 > 80003201 WRITE 2 HELD userRoot/cn.db page 28 > > 80003201 READ 1 HELD userRoot/cn.db page 26 > 80003201 WRITE 2 HELD userRoot/cn.db page 26 > > 4d READ 1 HELD ipaca/aci.db handle 0 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 69 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 68 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 > > 80003201 READ 14 HELD userRoot/entryrdn.db page 41 > 80003231 READ 1 HELD userRoot/entryrdn.db page 41 > > 80003201 READ 10 HELD userRoot/entryrdn.db page 40 > 80003231 READ 1 HELD userRoot/entryrdn.db page 40 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 4 > > 80003201 READ 5 HELD userRoot/entryrdn.db page 6 > > 34 READ 1 HELD userRoot/entryrdn.db handle 0 > > 80003201 READ 10 HELD userRoot/entryrdn.db page 3 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 > 80003231 READ 2 HELD userRoot/entryrdn.db page 3 > > 80003201 READ 2 HELD userRoot/entryrdn.db page 9 > > 80003201 READ 5 HELD userRoot/entryrdn.db page 20 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 23 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 19 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 28 > > 80003201 READ 1 HELD userRoot/givenName.db page 3 > 80003201 WRITE 2 HELD userRoot/givenName.db page 3 > > 384 READ 1 HELD userRoot/givenName.db handle 0 > > 80003201 READ 1 HELD userRoot/givenName.db page 11 > 80003201 WRITE 2 HELD userRoot/givenName.db page 11 > > 80003201 READ 1 HELD userRoot/givenName.db page 15 > 80003201 WRITE 2 HELD userRoot/givenName.db page 15 > > 80003201 READ 1 HELD userRoot/givenName.db page 17 > 80003201 WRITE 2 HELD userRoot/givenName.db page 17 > > 80003201 READ 1 HELD userRoot/givenName.db page 16 > 80003201 WRITE 2 HELD userRoot/givenName.db page 16 > > 80003201 READ 1 HELD userRoot/givenName.db page 22 > 80003201 WRITE 2 HELD userRoot/givenName.db page 22 > > 80003201 READ 1 HELD userRoot/givenName.db page 27 > 80003201 WRITE 2 HELD userRoot/givenName.db page 27 > > 80003201 READ 1 HELD userRoot/givenName.db page 25 > 80003201 WRITE 2 HELD userRoot/givenName.db page 25 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 47 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 47 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 39 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 39 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 38 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 38 > > 23 READ 1 HELD > ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 9 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 8 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 11 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 11 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 10 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 10 > > 80003201 READ 3 HELD userRoot/krbPrincipalName.db > page 15 > 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db > page 15 > > 5d READ 1 HELD userRoot/krbPrincipalName.db > handle 0 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 3 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 2 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 4 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 6 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 79 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 79 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 81 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 81 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 80 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 80 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 84 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 84 > > 2c READ 1 HELD changelog/id2entry.db handle 0 > > 80003201 WRITE 2 HELD changelog/id2entry.db page 2 > > a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db > handle 0 > > 44 READ 1 HELD ipaca/objectclass.db handle 0 > > 80003201 READ 1 HELD userRoot/gidnumber.db page 2 > 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 > > 79 READ 1 HELD userRoot/gidnumber.db handle 0 > > 77 READ 1 HELD ipaca/requeststate.db handle 0 > > 80003201 WRITE 2 HELD changelog/id2entry.db page 661 > > 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 > > 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 > 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 > > c READ 1 HELD > ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 > > 16 READ 1 HELD > ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 > > 80003201 WRITE 2 HELD changelog/entryusn.db page 5 > > 2e READ 1 HELD changelog/entryusn.db handle 0 > > 80003201 READ 2 HELD userRoot/sn.db page 29 > 80003201 WRITE 4 HELD userRoot/sn.db page 29 > > 80003201 READ 1 HELD userRoot/sn.db page 25 > 80003201 WRITE 2 HELD userRoot/sn.db page 25 > > 80003201 READ 1 HELD userRoot/sn.db page 6 > 80003201 WRITE 2 HELD userRoot/sn.db page 6 > > 80003201 READ 1 HELD userRoot/sn.db page 5 > 80003201 WRITE 2 HELD userRoot/sn.db page 5 > > 80003201 READ 1 HELD userRoot/sn.db page 3 > 80003201 WRITE 2 HELD userRoot/sn.db page 3 > > 382 READ 1 HELD userRoot/sn.db handle 0 > > 80003201 READ 1 HELD userRoot/sn.db page 9 > 80003201 WRITE 2 HELD userRoot/sn.db page 9 > > 4 READ 1 HELD ipaca/id2entry.db handle 0 > > 80003201 READ 1 HELD userRoot/owner.db page 1 > > 81 READ 1 HELD userRoot/owner.db handle 0 > > 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 > > 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 > 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 > > 32 READ 1 HELD ipaca/entryusn.db handle 0 > > 91 READ 1 HELD userRoot/uid.db handle 0 > > 80003201 READ 1 HELD userRoot/uid.db page 4 > 80003201 WRITE 2 HELD userRoot/uid.db page 4 > > 80003201 READ 1 HELD userRoot/uid.db page 9 > 80003201 WRITE 2 HELD userRoot/uid.db page 9 > > 80003201 READ 1 HELD userRoot/uid.db page 15 > 80003201 WRITE 2 HELD userRoot/uid.db page 15 > > 80003201 READ 1 HELD userRoot/uid.db page 12 > 80003201 WRITE 2 HELD userRoot/uid.db page 12 > > 80003201 READ 1 HELD userRoot/uid.db page 19 > 80003201 WRITE 2 HELD userRoot/uid.db page 19 > > 80003201 READ 1 HELD userRoot/uid.db page 16 > 80003201 WRITE 2 HELD userRoot/uid.db page 16 > > 52 READ 1 HELD changelog/nsuniqueid.db handle 0 > > 7e READ 1 HELD userRoot/numsubordinates.db > handle 0 > > 80003201 WRITE 1 HELD userRoot/numsubordinates.db > page 1 > > 80003201 READ 1 HELD userRoot/uid.db page 21 > 80003201 WRITE 2 HELD userRoot/uid.db page 21 > > 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 > 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 > > 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 > > 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 > > 8c READ 1 HELD userRoot/ipasudorunasgroup.db > handle 0 > > 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db > page 1 > > 80003201 READ 1 HELD userRoot/id2entry.db page 66 > > 47 READ 1 HELD changelog/aci.db handle 0 > > 80003201 READ 1 HELD userRoot/id2entry.db page 20 > > 80003201 READ 1 HELD userRoot/id2entry.db page 8 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 > > 80003201 READ 1 HELD userRoot/id2entry.db page 5 > > 80003201 READ 1 HELD userRoot/id2entry.db page 3 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 > 36 READ 1 WAIT userRoot/id2entry.db page 2 > > 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 > > 2 READ 1 HELD userRoot/id2entry.db handle 0 > > 80003201 READ 1 HELD userRoot/memberUser.db page 1 > > 84 READ 1 HELD userRoot/memberUser.db handle 0 > > 80003201 WRITE 6 HELD changelog/objectclass.db page 1 > > 40 READ 1 HELD changelog/objectclass.db handle 0 > > 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 > > 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 > > 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db > handle 0 > > 57 READ 1 HELD changelog/parentid.db handle 0 > > 80003201 WRITE 2 HELD changelog/parentid.db page 1 > > 86 READ 1 HELD userRoot/sourcehost.db handle 0 > > 80003201 READ 1 HELD userRoot/sourcehost.db page 1 > > 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 > > 3c READ 1 HELD changelog/entryrdn.db handle 0 > > 80003201 READ 4 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 > > 80003201 READ 1 HELD userRoot/ipaassignedidview.db > page 1 > > 8e READ 1 HELD userRoot/ipaassignedidview.db > handle 0 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 > 80003231 READ 1 HELD userRoot/id2entry.db page 1420 > > 80003201 READ 6 HELD changelog/entryrdn.db page 51 > > 80003201 READ 1 HELD userRoot/memberOf.db page 4 > > 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 > > 37f READ 1 HELD userRoot/memberOf.db handle 0 > > 80003201 READ 1 HELD userRoot/memberOf.db page 12 > 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 > > 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db > page 1 > > 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db > handle 0 > > 80003201 READ 1 HELD userRoot/managedby.db page 4 > > 68 READ 1 HELD ipaca/seeAlso.db handle 0 > > 88 READ 1 HELD userRoot/managedby.db handle 0 > > 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db > handle 0 > > 1e READ 1 HELD > ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 > > 85 READ 1 HELD userRoot/memberHost.db handle 0 > > 80003201 READ 1 HELD userRoot/memberHost.db page 1 > > 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db > handle 0 > > 97 READ 1 HELD userRoot/memberuid.db handle 0 > > 87 READ 1 HELD userRoot/memberservice.db handle 0 > > 80003201 READ 1 HELD userRoot/memberservice.db page 1 > > 80003201 READ 1 HELD userRoot/parentid.db page 1 > 80003201 WRITE 3 HELD userRoot/parentid.db page 1 > > 4f READ 1 HELD userRoot/parentid.db handle 0 > > 80003201 WRITE 2 HELD changelog/changenumber.db page 2 > > 53 READ 1 HELD changelog/changenumber.db handle 0 > > 64 READ 1 HELD changelog/seeAlso.db handle 0 > > 80003201 READ 2 HELD userRoot/entryusn.db page 8 > 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 > > 30 READ 1 HELD userRoot/entryusn.db handle 0 > > 80003201 READ 1 HELD userRoot/ancestorid.db page 4 > 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 > > 3a READ 1 HELD userRoot/ancestorid.db handle 0 > > 80003201 READ 2 HELD userRoot/ancestorid.db page 3 > 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 > > 80003201 READ 1 HELD userRoot/mail.db page 67 > 80003201 WRITE 2 HELD userRoot/mail.db page 67 > > 80003201 READ 1 HELD userRoot/mail.db page 72 > 80003201 WRITE 2 HELD userRoot/mail.db page 72 > > 80003201 READ 1 HELD userRoot/mail.db page 74 > 80003201 WRITE 2 HELD userRoot/mail.db page 74 > > 80003201 READ 1 HELD userRoot/mail.db page 75 > 80003201 WRITE 2 HELD userRoot/mail.db page 75 > > 383 READ 1 HELD userRoot/mail.db handle 0 > > 80003201 READ 1 HELD userRoot/mail.db page 2 > 80003201 WRITE 2 HELD userRoot/mail.db page 2 > > 80003201 READ 1 HELD userRoot/mail.db page 12 > 80003201 WRITE 2 HELD userRoot/mail.db page 12 > > 80003201 READ 1 HELD userRoot/mail.db page 9 > 80003201 WRITE 2 HELD userRoot/mail.db page 9 > > 80003201 READ 1 HELD userRoot/mail.db page 10 > 80003201 WRITE 2 HELD userRoot/mail.db page 10 > > 80003201 READ 1 HELD userRoot/mail.db page 25 > 80003201 WRITE 2 HELD userRoot/mail.db page 25 > > 80003201 READ 1 HELD userRoot/mail.db page 27 > 80003201 WRITE 2 HELD userRoot/mail.db page 27 > > 80003201 READ 1 HELD userRoot/mail.db page 35 > 80003201 WRITE 2 HELD userRoot/mail.db page 35 > > 80003201 READ 1 HELD userRoot/mail.db page 40 > 80003201 WRITE 2 HELD userRoot/mail.db page 40 > > 80003201 READ 1 HELD userRoot/mail.db page 41 > 80003201 WRITE 2 HELD userRoot/mail.db page 41 > > 80003201 READ 1 HELD userRoot/mail.db page 42 > 80003201 WRITE 2 HELD userRoot/mail.db page 42 > > 80003201 READ 1 HELD userRoot/mail.db page 43 > 80003201 WRITE 2 HELD userRoot/mail.db page 43 > > d READ 1 HELD > ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 > > 80 READ 1 HELD userRoot/uniquemember.db handle 0 > > 80003201 READ 1 HELD userRoot/uniquemember.db page 1 > > 80003201 READ 1 HELD userRoot/member.db page 59 > 80003201 WRITE 2 HELD userRoot/member.db page 59 > > 80003201 READ 1 HELD userRoot/member.db page 3 > 80003201 WRITE 2 HELD userRoot/member.db page 3 > > 7f READ 1 HELD userRoot/member.db handle 0 > > 80003201 READ 3 HELD userRoot/member.db page 110 > 80003201 WRITE 2 HELD userRoot/member.db page 110 > > 59 READ 1 HELD changelog/numsubordinates.db > handle 0 > > 80003201 WRITE 2 HELD changelog/numsubordinates.db > page 1 > > e READ 1 HELD > ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 > > 71 READ 1 HELD ipaca/certstatus.db handle 0 > > 17 READ 1 HELD > ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 > > 80003201 READ 2 HELD userRoot/objectclass.db page 8 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 > > 80003201 READ 1 HELD userRoot/objectclass.db page 9 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 > > 80003201 READ 1 HELD userRoot/objectclass.db page 15 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 > > 80003201 READ 2 HELD userRoot/objectclass.db page 2 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 > 43 READ 1 WAIT userRoot/objectclass.db page 2 > > 80003201 READ 2 HELD userRoot/objectclass.db page 3 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 > > 38 READ 1 HELD userRoot/objectclass.db handle 0 > > 80003201 READ 1 HELD userRoot/objectclass.db page 18 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 > > 80003201 READ 21 HELD userRoot/objectclass.db page 19 > 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 > > 80003201 READ 1 HELD userRoot/objectclass.db page 16 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 > > 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 > > > On Tue, Sep 22, 2015 at 4:12 AM, thierry bordaz > wrote: > > Hi, > > > If it hangs again, could you get a pstack of the slapd process > And also dump the db info > 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This > would help to know which thread holds the lock that that blocks > those operations ? > > thanks > thierry > > > On 09/18/2015 09:20 PM, HECTOR LOPEZ wrote: >> >> >> Ludwig Krispenz, >> >> This is the output of gstack on ns-slapd (pstack on rhel), also >> killing the ns-slapd proces gave this error "ipa: ERROR: cannot >> connect to 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': >> " After that I could use ipactl restart and the command runs >> successfully. Thank you for helping me. Again, here is the >> pstack output of ns-slapd: >> >> >> -sh-4.2$ sudo gstack 2197 >> >> Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc11e4a7 in deadlock_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc122576 in checkpoint_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc11e71f in trickle_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc119437 in perf_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ae058164e in cos_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libcos-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): >> >> #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 >> >> #1 0x00007f3addf0247c in ipa_cldap_worker () from >> /usr/lib64/dirsrv/plugins/libipa_cldap.so >> >> #2 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae9e21a93 in housecleaning () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae9914188 in eq_loop () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from >> /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >> /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from >> /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >> /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from >> /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >> /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #21 0x00007f3ae99501de in search_internal_callback_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #22 0x00007f3ae9950478 in search_internal_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #23 0x00007f3ae9e291fb in ids_sasl_canon_user () >> >> #24 0x00007f3ae7afd93b in _sasl_canon_user () from >> /lib64/libsasl2.so.3 >> >> #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from >> /lib64/libsasl2.so.3 >> >> #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 () >> from /usr/lib64/sasl2/libcrammd5.so >> >> #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from >> /usr/lib64/sasl2/libcrammd5.so >> >> #28 0x00007f3ae7b09b88 in sasl_server_step () from >> /lib64/libsasl2.so.3 >> >> #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () >> >> #30 0x00007f3ae9e13b22 in do_bind () >> >> #31 0x00007f3ae9e1a43f in connection_threadmain () >> >> #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #33 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from >> /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >> /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from >> /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> >> #10 0x00007f3ae237d843 in __db_get () from /lib64/libdb-5.3.so >> >> >> #11 0x00007f3ae2381123 in __db_get_pp () from /lib64/libdb-5.3.so >> >> >> #12 0x00007f3adc12949b in id2entry () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc14f7dd in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3ae9900190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #15 0x00007f3ae9900342 in delete_internal_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #16 0x00007f3adba44739 in mep_del_post_op () from >> /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so >> >> #17 0x00007f3ae994c280 in plugin_call_func () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #18 0x00007f3ae994c4d8 in plugin_call_plugins () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #19 0x00007f3adc14e42e in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3ae9900190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #21 0x00007f3ae9900453 in do_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #22 0x00007f3ae9e1a37e in connection_threadmain () >> >> #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #24 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3ae9e1b2c5 in time_thread () >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae0376374 in sync_send_results () from >> /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e25c85 in ps_send_results () >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): >> >> #0 0x00007f3ae76e3f7d in __lll_lock_wait () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae76dfd68 in _L_lock_975 () from /lib64/libpthread.so.0 >> >> #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from >> /lib64/libpthread.so.0 >> >> #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so >> >> #4 0x00007f3ae9e1def6 in slapd_daemon () >> >> #5 0x00007f3ae9e1117c in main () >> >> -sh-4.2$ >> >> >> On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz >> > wrote: >> >> >> On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: >>> This is rhel 7.1 with ipa version 4.1.0 >>> >>> user-show shows the user. However, if the user contains >>> ipaNTSecurityIdentifier: attribute, user-del hangs with no >>> response. >>> >>> Meanwhile, the KDC and 389ds stop working. The only way to >>> recover functionality is to reboot the machine. ipactl >>> restart does nothing. >> If it hangs again, could you get a pstack of the slapd process ? >> If you then kill slapd, does ipactl restart work ? >> >>> >>> In the ldap access log I see this when trying to delete user >>> sclown: >>> >>> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 >>> tag=101 nentries=0 etime=0 >>> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL >>> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" >>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD >>> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" >>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 >>> tag=103 nentries=0 etime=0 >>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH >>> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 >>> filter="(objectClass=securityDomainSessionEntry)" attrs="cn" >>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 >>> tag=101 nentries=0 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=INVALID)" attrs="objectClass serialno >>> notBefore notAfter duration extension subjectName >>> userCertificate version algorithmId signingAlgorithmId >>> publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV >>> 200:0:20150914093009Z 1:0 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 >>> tag=101 nentries=0 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=VALID)" attrs="objectClass serialno >>> notBefore notAfter duration extension subjectName >>> userCertificate version algorithmId signingAlgorithmId >>> publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV >>> 200:0:20150914093009Z 1:10 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 >>> tag=101 nentries=1 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn >>> serialno revInfo notAfter notBefore duration extension >>> subjectName userCertificate version algorithmId >>> signingAlgorithmId publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV >>> 200:0:20150914093009Z 0:0 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 >>> tag=101 nentries=0 etime=0 notes=U >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="description" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 >>> tag=101 nentries=1 etime=0 >>> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND >>> >>> Then in the ldap error log I see this, which makes me think >>> there is a problem with the changelog: >>> >>> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get >>> id for changenumber=91314,cn=changelog from entryrdn index >>> (-30993) >>> [14/Sep/2015:09:30:03 -0700] - Operation error fetching >>> changenumber=91314,cn=changelog (null), error -30993. >>> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an >>> error occured while adding change number 91314, dn = >>> changenumber=91314,cn=changelog: Operations error. >>> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - >>> retrocl_postob: operation failure [1] >>> >>> After this both kdc and ldap stop responding. In the >>> krb5kdc.log I see server errors after the user-del command >>> is run. The only way to resume normal operations is to >>> restart the whole machine. ipactl restart doesn't work. >>> >>> Any help would be highly appreciated! >>> >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From preichl at redhat.com Thu Sep 24 09:17:51 2015 From: preichl at redhat.com (Pavel Reichl) Date: Thu, 24 Sep 2015 11:17:51 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> Message-ID: <5603BFBF.5010903@redhat.com> Hello Andy, I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? What version of SSSD do you run on ipa server? From canepa.n at mmfg.it Thu Sep 24 09:28:01 2015 From: canepa.n at mmfg.it (Nicola Canepa) Date: Thu, 24 Sep 2015 11:28:01 +0200 Subject: [Freeipa-users] Problem with replica In-Reply-To: <5603A754.10409@redhat.com> References: <5603A16E.6050802@mmfg.it> <5603A754.10409@redhat.com> Message-ID: <5603C221.9000805@mmfg.it> Thank you very much. I did as suggested, and ticket is #48292 Nicola Il 24/09/15 09:33, Ludwig Krispenz ha scritto: > Hi, > > can you try to get a core dump: > > http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes > > and open a ticket for 389 DS: https://fedorahosted.org/389/newticket > > Ludwig > > On 09/24/2015 09:08 AM, Nicola Canepa wrote: >> Hello, I'm trying to setup a partial replica of the LDAP tree stored >> in 389-ds by FreeIPA 4.1 (under CentOS 7), so that legacy systems >> have a local copy of the data needed to authenticate. >> Those systems have already OpenLDAP installed, so I 'm trying to >> enable syncrepl from DS to OL. >> I followed this ticket: https://fedorahosted.org/freeipa/ticket/3967 >> and I enabled the 2 plugins as indicated. >> When the slave starts and tries to sync, the ns-slapd process on >> FreeIPA server dies, with this in syslog: >>> kernel: ns-slapd[4801]: segfault at 0 ip 00007f0f041f2db6 sp >>> 00007f0ecc7f0f38 error 4 in libc-2.17.so[7f0f0416e000+1b6000] >> immediately (same second) followed by: >>> named[1974]: LDAP error: Can't contact LDAP server: ldap_sync_poll() >>> failed >>> named[1974]: ldap_syncrepl will reconnect in 60 seconds >>> systemd: dirsrv at XXX.service: main process exited, code=killed, >>> status=11/SEGV >> >> There is nothing in access or error log (found in >> /var/log/dirsrv/INSTANCE) at that second (last log is 30 seconds >> before the problem). >> >> Even if replica doesn't work, I think it shoundn't kill the daemon. >> >> >> The ldif used on the slave: >>> dn: olcDatabase={1}bdb,cn=config >>> changetype: modify >>> replace:olcSyncrepl >>> olcSyncrepl: rid=0001 >>> provider=ldap://AAA.TLD >>> type=refreshOnly >>> interval=00:1:00:00 >>> retry="5 5 300 +" >>> searchbase="YYY" >>> attrs="*,+" >>> bindmethod=simple >>> binddn="uid=XXX,cn=users,cn=accounts,dc=YYY" >>> credentials=ZZZ >> >> >> Nicola >> > -- Nicola Canepa Tel: +39-0522-399-3474 canepa.n at mmfg.it --- Il contenuto della presente comunicazione ? riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avr? valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, n? rinuncia o riconoscimento di diritti, debiti e/o crediti, n? sar? impegnativa, qualora non sia sottoscritto successivo accordo da chi pu? validamente obbligarci. Non deriver? alcuna responsabilit? precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. From mkosek at redhat.com Thu Sep 24 10:31:35 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Sep 2015 12:31:35 +0200 Subject: [Freeipa-users] User, keytab, password and ldap In-Reply-To: References: <5603A8D6.20007@redhat.com> Message-ID: <5603D107.8000107@redhat.com> Adding back freeipa-users. As for the -P option, I assume all it does is that it does not use random key when generating the keytab but rather the specified password. I do not know, however, if this non-random password can be used for normal LDAP BINDs and thus should be also added to userPassword attribute. I will also wait for Simo's advise and the a ticket can be filed if this is really a bug. On 09/24/2015 10:44 AM, bahan w wrote: > Thank you for your answer Martin. > I am very interested by the answer from Simo. > Because the ipa-getkeytab has this option -P specifically to have both a > keytab and a password, so it would make sense that this command should > update also the ldap for the user by adding this field userPassword no ? > > Best regards. > > Bahan > > On Thu, Sep 24, 2015 at 9:40 AM, Martin Kosek wrote: > >> On 09/23/2015 04:32 PM, bahan w wrote: >>> Hello ! >>> >>> I'm using IPA 3.0.0 and I have a problem with one of the user I created. >>> user3 >>> >>> I created this user with the command ipa user-add without specifying any >>> password. >>> Then I performed an ipa-getkeytab command with the -P option to have a >>> keytab and a password. >>> >>> When I check the ldap server with the following command, I cannot find >> any >>> "userpassword" field for this user. >>> ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p >>> >>> ### >>> # user3, users, accounts, myrealm >>> dn: uid=user3,cn=users,cn=accounts,dc=myrealm >>> displayName: user3 user3 >>> cn: user3 user3 >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetorgperson >>> objectClass: inetuser >>> objectClass: posixaccount >>> objectClass: krbprincipalaux >>> objectClass: krbticketpolicyaux >>> objectClass: ipaobject >>> objectClass: ipasshuser >>> objectClass: ipaSshGroupOfPubKeys >>> objectClass: mepOriginEntry >>> loginShell: /bin/sh >>> sn: user3 >>> gecos: user3 user3 >>> homeDirectory: /home/user3 >>> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm >>> krbPrincipalName: user3 at MYREALM >>> givenName: user3 >>> uid: user3 >>> initials: uu >>> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 >>> uidNumber: >>> gidNumber: >>> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm >>> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm >>> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm >>> krbLastPwdChange: 20150923134438Z >>> krbPrincipalKey:: >>> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== >>> krbLastSuccessfulAuth: 20150923120752Z >>> krbLastFailedAuth: 20150923132257Z >>> krbLoginFailedCount: 1 >>> ### >>> >>> Then, with an admin ticket, I performed an ipa passwd user3 and I set a >> one >>> time password. >>> Then I connected with user3 and he was able to change its one time >> password >>> into something else. >>> And when I retried the ldapsearch command, the field userpassword was >> there. >>> But the keytab is not working anymore. >>> >>> So here is my question : >>> How can I generate a user with a keytab, a password and the userpassword >>> field in the ldap ? >> >> I do not think you can do that - by design. FreeIPA synchronizes Kerberos >> keys >> and the user password. So if you change password, existing keytab is >> invalidated. If you get a keytab, password is invalidated as random key is >> generated. >> >>> The ipa-getkeytab -P option allows me to have both keytab and the >> password, >>> but as the field userpassword is missing in the ldap, some other tools >>> using ldapbackend authentication does not work for this user. >> >> I assume this is not expected to work this way, but please let me CC Simo >> here, >> if there is a problem in processing the -P option. >> >> > From Andy.Thompson at e-tcc.com Thu Sep 24 12:40:18 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 24 Sep 2015 12:40:18 +0000 Subject: [Freeipa-users] sssd public socket error In-Reply-To: <20150923205407.GO7272@hendrix.redhat.com> References: <04d971afeace4bdeae8230f0f8244877@TCCCORPEXCH02.TCC.local> <20150923205407.GO7272@hendrix.redhat.com> Message-ID: > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, September 23, 2015 4:54 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sssd public socket error > > On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote: > > On one of my servers I'm getting > > > > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): > > session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03 > sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has > wrong ownership or permissions. > > > > Authentication still works but group name lookups fail on the server. > > > > Haven't been able to track down yet what config is different on this server > and I can't find any information on this, anyone have any thoughts? > > The code is: > 860 statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf); > 861 if (statret != 0) { > 862 ret = PAM_SERVICE_ERR; > 863 goto out; > 864 } > 865 if ( ! (stat_buf.st_uid == 0 && > 866 stat_buf.st_gid == 0 && > 867 S_ISSOCK(stat_buf.st_mode) && > 868 (stat_buf.st_mode & ~S_IFMT) == 0666 )) { > 869 *errnop = ESSS_BAD_PUB_SOCKET; > 870 ret = PAM_SERVICE_ERR; > 871 goto out; > 872 } > 873 > > I would compare: > ls -lR /var/lib/sss/pipes/ > > on a working or a non-working server. The public PAM socket > (/var/lib/sss/pipes/pam) should be there and should have permission 0666. > > Also check AVC denials. > It was file perms on those files. Thanks for the pointer. -andy From Andy.Thompson at e-tcc.com Thu Sep 24 12:48:58 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 24 Sep 2015 12:48:58 +0000 Subject: [Freeipa-users] IPA server failover In-Reply-To: <20150924051726.GC7201@redhat.com> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> <20150924051726.GC7201@redhat.com> Message-ID: <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Thursday, September 24, 2015 1:17 AM > To: Andy Thompson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA server failover > > On Wed, 23 Sep 2015, Andy Thompson wrote: > >I've got all of my environments setup with two IPA servers. I'm > >fighting intermittent problems with krb5kdc crashing on them in all of > >my environments and I've opened a ticket with Redhat on that. What I > >can't figure out though is why the clients will not fail over to the > >second functioning server in the domain > > > >My sssd.conf files are all pretty generic from the install with minimal > >modification to add a couple settings. > > > >[domain/mhbe.lin] > > > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = mhbe.lin > >id_provider = ipa > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = mdhixproddb01.mhbe.lin > >chpass_provider = ipa > >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = > >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services = > >nss, sudo, pam, ssh config_file_version = 2 > > > >domains = mhbe.lin > >[nss] > >default_shell = /bin/bash > >homedir_substring = /home > >debug_level = 7 > >[pam] > > > >[sudo] > > > >[autofs] > > > >[ssh] > > > >[pac] > > > >[ifp] > > > >I thought the _srv_ would force it to use dns and both servers are > >round robined when digging the _kerberos records from DNS. So I don't > >understand why it's not working > ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using > /etc/krb5.conf for hints where to find KDCs. > > A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = ' > for specific realm would cause Kerberos clients to do DNS discovery using > SRV records. > Here are the contents of my krb conf with everything set to lookup and it doesn't appear to be working. includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MHBE.LIN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] MHBE.LIN = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mhbe.lin = MHBE.LIN mhbe.lin = MHBE.LIN > If multiple 'kdc = ...' values are specified in the realm definition, Kerberos > clients will fall over to the next one in the list in case of a failure. > > When ipa-client-install is run, we configure krb5.conf without explicit KDCs if > DNS discovery of Kerberos was successful which should take care of SRV > record-based discovery of KDCs. > -- > / Alexander Bokovoy From janellenicole80 at gmail.com Thu Sep 24 12:49:51 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 24 Sep 2015 05:49:51 -0700 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <5603ACDF.3070602@redhat.com> References: <20150914064630.GP6168@redhat.com> <56030613.3050308@gmail.com> <5603ACDF.3070602@redhat.com> Message-ID: <5603F16F.7090106@gmail.com> On 9/24/15 12:57 AM, Martin Kosek wrote: > On 09/23/2015 10:05 PM, Janelle wrote: >> On 9/13/15 11:46 PM, Alexander Bokovoy wrote: >>> On Sun, 13 Sep 2015, Janelle wrote: >>>> Hello, >>>> >>>> I read something recently that if ip v6 is disable on a server this >>>> hurts performance in some way? Is there more info on this or did I >>>> misread it? >>> Do not disable IPv6 stack on your machines. By disabling IPv6 you are >>> not doing good. On contrary, many contemporary software projects are >>> using IPv6-enabled network calls by default because both IPv6 and IPv4 >>> share the same name space on the machine so you only need to listen on a >>> IPv6 port to accept both IPv4 and IPv6. This is a recommended approach >>> for networking applications' developers for years already. >>> >>> Note that this means only that support for IPv6 stack is enabled in the >>> kernel. You are not required to go with IPv6 networking addresses, this >>> is not really needed if you don't want to. But allowing applications to >>> be IPv6 aware is required. >>> >>> FreeIPA has several components which are programmed in such way that >>> they expect IPv6 stack to be enabled for reasons outlined above. If you >>> disable IPv6 stack, FreeIPA will partially malfunction and will not >>> really be in a supported state, especially when we are talking about >>> trusts to Active Directory (and, in future, IPA to IPA trust). >>> >> BTW - I did re-enable IPv6 and was able to "clean ruv" all the "dead" entries, >> which I had not been able to do before. Thank you for this. > Hello Janelle, > > Thanks for confirmation! I added this knowledge to > > http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > > as it is definitely not an obvious fix to resolve the RUV issue. > > Please feel very welcome to extend Troubleshooting guide if you have other > advise that could help others speed up their RUV investigation - you have > definitely a lot of experience with them. > > Thanks! > Martin Final - Final confirmation now. I now deleted a replica and re-added. No "ghost" entries at all. Everything is perfect. Yeah, this was crazy that it was the fix on all the problems I had for a few months. It definitely was not an obvious one. I had wondered if it was DNS at one point, but every server/master has a /etc/hosts file with all hostnames and IPs (I never trust DNS). Thank you for sticking with all my issues and helping with this. This one was a huge help. At one point I had 9 of these ghost RUVs that would not go away. Even if I deleted them off a server, they would magically re-appear. It was so frustrating. Having a clean environment is a wonderful thing. I love IPA!! I will check the DOCs and if there is anything I can add I will. ~Janelle From Andy.Thompson at e-tcc.com Thu Sep 24 12:50:41 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 24 Sep 2015 12:50:41 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <5603BFBF.5010903@redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <5603BFBF.5010903@redhat.com> Message-ID: <52b53e146fd740a4b32fb7491ed66454@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Pavel Reichl > Sent: Thursday, September 24, 2015 5:18 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > Hello Andy, > > I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? > > What version of SSSD do you run on ipa server? > The servers are running sssd-1.12.2-58.el7_1.14.x86_64 -andy From simo at redhat.com Thu Sep 24 12:57:19 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 24 Sep 2015 08:57:19 -0400 Subject: [Freeipa-users] User, keytab, password and ldap In-Reply-To: <5603A8D6.20007@redhat.com> References: <5603A8D6.20007@redhat.com> Message-ID: <5603F32F.1090202@redhat.com> On 24/09/15 03:40, Martin Kosek wrote: > On 09/23/2015 04:32 PM, bahan w wrote: >> Hello ! >> >> I'm using IPA 3.0.0 and I have a problem with one of the user I created. >> user3 >> >> I created this user with the command ipa user-add without specifying any >> password. >> Then I performed an ipa-getkeytab command with the -P option to have a >> keytab and a password. >> >> When I check the ldap server with the following command, I cannot find any >> "userpassword" field for this user. >> ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p >> >> ### >> # user3, users, accounts, myrealm >> dn: uid=user3,cn=users,cn=accounts,dc=myrealm >> displayName: user3 user3 >> cn: user3 user3 >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetorgperson >> objectClass: inetuser >> objectClass: posixaccount >> objectClass: krbprincipalaux >> objectClass: krbticketpolicyaux >> objectClass: ipaobject >> objectClass: ipasshuser >> objectClass: ipaSshGroupOfPubKeys >> objectClass: mepOriginEntry >> loginShell: /bin/sh >> sn: user3 >> gecos: user3 user3 >> homeDirectory: /home/user3 >> krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm >> krbPrincipalName: user3 at MYREALM >> givenName: user3 >> uid: user3 >> initials: uu >> ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 >> uidNumber: >> gidNumber: >> memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm >> memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm >> mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm >> krbLastPwdChange: 20150923134438Z >> krbPrincipalKey:: >> krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== >> krbLastSuccessfulAuth: 20150923120752Z >> krbLastFailedAuth: 20150923132257Z >> krbLoginFailedCount: 1 >> ### >> >> Then, with an admin ticket, I performed an ipa passwd user3 and I set a one >> time password. >> Then I connected with user3 and he was able to change its one time password >> into something else. >> And when I retried the ldapsearch command, the field userpassword was there. >> But the keytab is not working anymore. >> >> So here is my question : >> How can I generate a user with a keytab, a password and the userpassword >> field in the ldap ? > > I do not think you can do that - by design. FreeIPA synchronizes Kerberos keys > and the user password. So if you change password, existing keytab is > invalidated. If you get a keytab, password is invalidated as random key is > generated. > >> The ipa-getkeytab -P option allows me to have both keytab and the password, >> but as the field userpassword is missing in the ldap, some other tools >> using ldapbackend authentication does not work for this user. > > I assume this is not expected to work this way, but please let me CC Simo here, > if there is a problem in processing the -P option. userPassword should be generated when using ipa-getkeytab -P, if it is not, please file a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York From brian at interlinx.bc.ca Thu Sep 24 13:07:19 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Thu, 24 Sep 2015 09:07:19 -0400 Subject: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t In-Reply-To: <20150924052357.GD7201@redhat.com> References: <1443051323.7486.76.camel@interlinx.bc.ca> <20150924052357.GD7201@redhat.com> Message-ID: <1443100039.7486.100.camel@interlinx.bc.ca> On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: > You need to explain what are you trying to achieve first. Sure. It is entirely likely that I am misunderstanding what I should be doing. A system service needs to be able to authenticate to the service imap/linux.example.com as a given user, so clearly that system service cannot kinit and provide a password as a user would normally (I guess this is what GSS-Proxy is for, FWIW). > The sequence above: > > - Sets a random Kerberos key for a principal named > asterisk at EXAMPLE.COM OK. > on IPA KDC and stores it to the local keytab file asterisk.keytab Right. > - tries to use a key for > asterisk at EXAMPLE.COM to obtain ticket > granting > ticket as > imap/linux.example.com at EXAMPE.COM So maybe this is where I am going wrong. > Unless imap/linux.example.com at EXAMPLE.COM > has exactly same Kerberos key > as asterisk at EXAMPLE.COM, the above should > fail and it does. So I want to put the imap/linux.example.com kerberos key into the asterisk.keytab file such as: ipa-getkeytab -s server.example.com -p imap/linux.example.com -k /tmp/asterisk-krb5.keytab -e aes256-cts I probably need to brush up on my kerberos here but is that what a user effectively does? When I, as a user do a "kinit brian" and then do a klist (after having used my imap client) and I see: 24/09/15 09:00:28 25/09/15 06:19:42 imap/linux.example.com at EXAMPLE.COM Does that mean that I actually have the Kerberos key for that imap/linu x.example.com at EXAMPLE.COM in my key cache -- the exact same key that I am going to put into the asterisk.keytab above? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From abokovoy at redhat.com Thu Sep 24 13:29:09 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 24 Sep 2015 16:29:09 +0300 Subject: [Freeipa-users] IPA server failover In-Reply-To: <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> <20150924051726.GC7201@redhat.com> <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> Message-ID: <20150924132909.GF7201@redhat.com> On Thu, 24 Sep 2015, Andy Thompson wrote: >> -----Original Message----- >> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >> Sent: Thursday, September 24, 2015 1:17 AM >> To: Andy Thompson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA server failover >> >> On Wed, 23 Sep 2015, Andy Thompson wrote: >> >I've got all of my environments setup with two IPA servers. I'm >> >fighting intermittent problems with krb5kdc crashing on them in all of >> >my environments and I've opened a ticket with Redhat on that. What I >> >can't figure out though is why the clients will not fail over to the >> >second functioning server in the domain >> > >> >My sssd.conf files are all pretty generic from the install with minimal >> >modification to add a couple settings. >> > >> >[domain/mhbe.lin] >> > >> >cache_credentials = True >> >krb5_store_password_if_offline = True >> >ipa_domain = mhbe.lin >> >id_provider = ipa >> >auth_provider = ipa >> >access_provider = ipa >> >ipa_hostname = mdhixproddb01.mhbe.lin >> >chpass_provider = ipa >> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = >> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services = >> >nss, sudo, pam, ssh config_file_version = 2 >> > >> >domains = mhbe.lin >> >[nss] >> >default_shell = /bin/bash >> >homedir_substring = /home >> >debug_level = 7 >> >[pam] >> > >> >[sudo] >> > >> >[autofs] >> > >> >[ssh] >> > >> >[pac] >> > >> >[ifp] >> > >> >I thought the _srv_ would force it to use dns and both servers are >> >round robined when digging the _kerberos records from DNS. So I don't >> >understand why it's not working >> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using >> /etc/krb5.conf for hints where to find KDCs. >> >> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = ' >> for specific realm would cause Kerberos clients to do DNS discovery using >> SRV records. >> > >Here are the contents of my krb conf with everything set to lookup and it doesn't appear to be working. > >includedir /var/lib/sss/pubconf/krb5.include.d/ > >[libdefaults] > default_realm = MHBE.LIN > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > > >[realms] > MHBE.LIN = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > >[domain_realm] > .mhbe.lin = MHBE.LIN > mhbe.lin = MHBE.LIN I bet you have SSSD supplying you KDC info in /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), see details in sssd-krb5(5). -- / Alexander Bokovoy From abokovoy at redhat.com Thu Sep 24 13:36:38 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 24 Sep 2015 16:36:38 +0300 Subject: [Freeipa-users] V6 and v4 In-Reply-To: <5603F16F.7090106@gmail.com> References: <20150914064630.GP6168@redhat.com> <56030613.3050308@gmail.com> <5603ACDF.3070602@redhat.com> <5603F16F.7090106@gmail.com> Message-ID: <20150924133638.GG7201@redhat.com> On Thu, 24 Sep 2015, Janelle wrote: >On 9/24/15 12:57 AM, Martin Kosek wrote: >>On 09/23/2015 10:05 PM, Janelle wrote: >>>On 9/13/15 11:46 PM, Alexander Bokovoy wrote: >>>>On Sun, 13 Sep 2015, Janelle wrote: >>>>>Hello, >>>>> >>>>>I read something recently that if ip v6 is disable on a server this >>>>>hurts performance in some way? Is there more info on this or did I >>>>>misread it? >>>>Do not disable IPv6 stack on your machines. By disabling IPv6 you are >>>>not doing good. On contrary, many contemporary software projects are >>>>using IPv6-enabled network calls by default because both IPv6 and IPv4 >>>>share the same name space on the machine so you only need to listen on a >>>>IPv6 port to accept both IPv4 and IPv6. This is a recommended approach >>>>for networking applications' developers for years already. >>>> >>>>Note that this means only that support for IPv6 stack is enabled in the >>>>kernel. You are not required to go with IPv6 networking addresses, this >>>>is not really needed if you don't want to. But allowing applications to >>>>be IPv6 aware is required. >>>> >>>>FreeIPA has several components which are programmed in such way that >>>>they expect IPv6 stack to be enabled for reasons outlined above. If you >>>>disable IPv6 stack, FreeIPA will partially malfunction and will not >>>>really be in a supported state, especially when we are talking about >>>>trusts to Active Directory (and, in future, IPA to IPA trust). >>>> >>>BTW - I did re-enable IPv6 and was able to "clean ruv" all the "dead" entries, >>>which I had not been able to do before. Thank you for this. >>Hello Janelle, >> >>Thanks for confirmation! I added this knowledge to >> >>http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records >> >>as it is definitely not an obvious fix to resolve the RUV issue. >> >>Please feel very welcome to extend Troubleshooting guide if you have other >>advise that could help others speed up their RUV investigation - you have >>definitely a lot of experience with them. >> >>Thanks! >>Martin >Final - Final confirmation now. I now deleted a replica and re-added. >No "ghost" entries at all. Everything is perfect. Yeah, this was crazy >that it was the fix on all the problems I had for a few months. It >definitely was not an obvious one. I had wondered if it was DNS at >one point, but every server/master has a /etc/hosts file with all >hostnames and IPs (I never trust DNS). > >Thank you for sticking with all my issues and helping with this. This >one was a huge help. At one point I had 9 of these ghost RUVs that >would not go away. Even if I deleted them off a server, they would >magically re-appear. It was so frustrating. Having a clean >environment is a wonderful thing. I love IPA!! > >I will check the DOCs and if there is anything I can add I will. It looks like 389-ds internally uses IPv6 stack functions as that allows to support both IPv4 and IPv6 addresses. This means that 389-ds always listens on tcp6 (netstat -nltp will show that) and if IPv6 stack is disabled in the kernel, it could cause some issues as not all functionality would be available to the user space. Again, you don't need to have IPv6 network addresses, just IPv6 namespace enabled in the kernel. -- / Alexander Bokovoy From preichl at redhat.com Thu Sep 24 13:43:46 2015 From: preichl at redhat.com (Pavel Reichl) Date: Thu, 24 Sep 2015 15:43:46 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <52b53e146fd740a4b32fb7491ed66454@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <5603BFBF.5010903@redhat.com> <52b53e146fd740a4b32fb7491ed66454@TCCCORPEXCH02.TCC.local> Message-ID: <5603FE12.4030003@redhat.com> On 09/24/2015 02:50 PM, Andy Thompson wrote: >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >> bounces at redhat.com] On Behalf Of Pavel Reichl >> Sent: Thursday, September 24, 2015 5:18 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo >> >> Hello Andy, >> >> I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? >> >> What version of SSSD do you run on ipa server? >> > > The servers are running > > sssd-1.12.2-58.el7_1.14.x86_64 > > -andy > Thanks, I prepared a scratch build containing patches for https://fedorahosted.org/sssd/ticket/2633 that could be fix your problems. Please consider installing the build on you ipa server but please avoid using it in production environment. Thanks! https://copr.fedoraproject.org/coprs/preichl/fix_ext_grp/ From pspacek at redhat.com Thu Sep 24 13:50:03 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Sep 2015 15:50:03 +0200 Subject: [Freeipa-users] IPA server failover In-Reply-To: <20150924132909.GF7201@redhat.com> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> <20150924051726.GC7201@redhat.com> <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> <20150924132909.GF7201@redhat.com> Message-ID: <5603FF8B.8060704@redhat.com> On 24.9.2015 15:29, Alexander Bokovoy wrote: > On Thu, 24 Sep 2015, Andy Thompson wrote: >>> -----Original Message----- >>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >>> Sent: Thursday, September 24, 2015 1:17 AM >>> To: Andy Thompson >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] IPA server failover >>> >>> On Wed, 23 Sep 2015, Andy Thompson wrote: >>> >I've got all of my environments setup with two IPA servers. I'm >>> >fighting intermittent problems with krb5kdc crashing on them in all of >>> >my environments and I've opened a ticket with Redhat on that. What I >>> >can't figure out though is why the clients will not fail over to the >>> >second functioning server in the domain >>> > >>> >My sssd.conf files are all pretty generic from the install with minimal >>> >modification to add a couple settings. >>> > >>> >[domain/mhbe.lin] >>> > >>> >cache_credentials = True >>> >krb5_store_password_if_offline = True >>> >ipa_domain = mhbe.lin >>> >id_provider = ipa >>> >auth_provider = ipa >>> >access_provider = ipa >>> >ipa_hostname = mdhixproddb01.mhbe.lin >>> >chpass_provider = ipa >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services = >>> >nss, sudo, pam, ssh config_file_version = 2 >>> > >>> >domains = mhbe.lin >>> >[nss] >>> >default_shell = /bin/bash >>> >homedir_substring = /home >>> >debug_level = 7 >>> >[pam] >>> > >>> >[sudo] >>> > >>> >[autofs] >>> > >>> >[ssh] >>> > >>> >[pac] >>> > >>> >[ifp] >>> > >>> >I thought the _srv_ would force it to use dns and both servers are >>> >round robined when digging the _kerberos records from DNS. So I don't >>> >understand why it's not working >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using >>> /etc/krb5.conf for hints where to find KDCs. >>> >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = ' >>> for specific realm would cause Kerberos clients to do DNS discovery using >>> SRV records. >>> >> >> Here are the contents of my krb conf with everything set to lookup and it >> doesn't appear to be working. >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = MHBE.LIN >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> >> >> [realms] >> MHBE.LIN = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> [domain_realm] >> .mhbe.lin = MHBE.LIN >> mhbe.lin = MHBE.LIN > I bet you have SSSD supplying you KDC info in > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), > see details in sssd-krb5(5). Also, I would recommend you to check SRV records in DNS: $ dig _kerberos._udp.mhbe.lin SRV It should list both servers (with non-zero priority). -- Petr^2 Spacek From christoph.kaminski at biotronik.com Thu Sep 24 13:39:48 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Thu, 24 Sep 2015 15:39:48 +0200 Subject: [Freeipa-users] sudo options/sss_cache Message-ID: Hi I have 3 problems/questions with ipa and sudo... 1. How to make a GLOBAL sudo rule with all the options what I want to have? (e.g. !authenticate). I have tried to make a sudo rule for all users on all hosts whom all users but without command and it doesnt work... Do I need to set it for each rule separately? 2. How can I with sss_cache invalidate sudo rules? Do I need ever to kill all files inside /var/lib/sssd/db? I dont see an option in sss_cache for this :/ 3. How long is the time where sssd invalidates the sudo rules and make a new look into ipa? Can I set this time? MfG Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Thu Sep 24 14:16:17 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 24 Sep 2015 14:16:17 +0000 Subject: [Freeipa-users] IPA server failover In-Reply-To: <5603FF8B.8060704@redhat.com> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> <20150924051726.GC7201@redhat.com> <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> <20150924132909.GF7201@redhat.com> <5603FF8B.8060704@redhat.com> Message-ID: <8b0ac4e811314ab9a6dc41b83aa6ed07@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Petr Spacek > Sent: Thursday, September 24, 2015 9:50 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA server failover > > On 24.9.2015 15:29, Alexander Bokovoy wrote: > > On Thu, 24 Sep 2015, Andy Thompson wrote: > >>> -----Original Message----- > >>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > >>> Sent: Thursday, September 24, 2015 1:17 AM > >>> To: Andy Thompson > >>> Cc: freeipa-users at redhat.com > >>> Subject: Re: [Freeipa-users] IPA server failover > >>> > >>> On Wed, 23 Sep 2015, Andy Thompson wrote: > >>> >I've got all of my environments setup with two IPA servers. I'm > >>> >fighting intermittent problems with krb5kdc crashing on them in all > >>> >of my environments and I've opened a ticket with Redhat on that. > >>> >What I can't figure out though is why the clients will not fail > >>> >over to the second functioning server in the domain > >>> > > >>> >My sssd.conf files are all pretty generic from the install with > >>> >minimal modification to add a couple settings. > >>> > > >>> >[domain/mhbe.lin] > >>> > > >>> >cache_credentials = True > >>> >krb5_store_password_if_offline = True ipa_domain = mhbe.lin > >>> >id_provider = ipa auth_provider = ipa access_provider = ipa > >>> >ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa > >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = > >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services > >>> >= nss, sudo, pam, ssh config_file_version = 2 > >>> > > >>> >domains = mhbe.lin > >>> >[nss] > >>> >default_shell = /bin/bash > >>> >homedir_substring = /home > >>> >debug_level = 7 > >>> >[pam] > >>> > > >>> >[sudo] > >>> > > >>> >[autofs] > >>> > > >>> >[ssh] > >>> > > >>> >[pac] > >>> > > >>> >[ifp] > >>> > > >>> >I thought the _srv_ would force it to use dns and both servers are > >>> >round robined when digging the _kerberos records from DNS. So I > >>> >don't understand why it's not working > >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries > >>> are using /etc/krb5.conf for hints where to find KDCs. > >>> > >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing > 'kdc = ' > >>> for specific realm would cause Kerberos clients to do DNS discovery > >>> using SRV records. > >>> > >> > >> Here are the contents of my krb conf with everything set to lookup > >> and it doesn't appear to be working. > >> > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > >> > >> [libdefaults] > >> default_realm = MHBE.LIN > >> dns_lookup_realm = true > >> dns_lookup_kdc = true > >> rdns = false > >> ticket_lifetime = 24h > >> forwardable = yes > >> udp_preference_limit = 0 > >> > >> > >> [realms] > >> MHBE.LIN = { > >> pkinit_anchors = FILE:/etc/ipa/ca.crt > >> > >> } > >> > >> > >> [domain_realm] > >> .mhbe.lin = MHBE.LIN > >> mhbe.lin = MHBE.LIN > > I bet you have SSSD supplying you KDC info in > > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via > > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > > > > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), > > see details in sssd-krb5(5). > I will look into adding this setting. Why is this not the default configuration by the client install? > Also, I would recommend you to check SRV records in DNS: > > $ dig _kerberos._udp.mhbe.lin SRV > > It should list both servers (with non-zero priority). > Ok both servers are in there but they have a zero priority. Those are the default records added by the install. -andy From Andy.Thompson at e-tcc.com Thu Sep 24 14:25:47 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 24 Sep 2015 14:25:47 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <5603FE12.4030003@redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <5603BFBF.5010903@redhat.com> <52b53e146fd740a4b32fb7491ed66454@TCCCORPEXCH02.TCC.local>, <5603FE12.4030003@redhat.com> Message-ID: <1443104753545.73648@e-tcc.com> Ok it will take me a while to get my test environment setup to match what I have in prod currently and I can do some testing at that point in time. -andy ________________________________________ From: Pavel Reichl Sent: Thursday, September 24, 2015 9:43 AM To: Andy Thompson; freeipa-users at redhat.com Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo On 09/24/2015 02:50 PM, Andy Thompson wrote: >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >> bounces at redhat.com] On Behalf Of Pavel Reichl >> Sent: Thursday, September 24, 2015 5:18 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo >> >> Hello Andy, >> >> I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? >> >> What version of SSSD do you run on ipa server? >> > > The servers are running > > sssd-1.12.2-58.el7_1.14.x86_64 > > -andy > Thanks, I prepared a scratch build containing patches for https://fedorahosted.org/sssd/ticket/2633 that could be fix your problems. Please consider installing the build on you ipa server but please avoid using it in production environment. Thanks! https://copr.fedoraproject.org/coprs/preichl/fix_ext_grp/ From awilisch at gmail.com Thu Sep 24 14:32:55 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Thu, 24 Sep 2015 10:32:55 -0400 Subject: [Freeipa-users] DNS Replication Validation Message-ID: I need a way to validate that both the primary and the redundant FreeIPA server?s DNS zones are in sync. What?s the simplest way for me to do this? My boss won?t let me continue with an upgrade until he?s sure the primary and redundant servers have the same DNS records and are in sync. I?ve tried finding documentation on this but keep coming up blank. Thanks in advance. From rmeggins at redhat.com Thu Sep 24 14:43:15 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2015 08:43:15 -0600 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: References: Message-ID: <56040C03.10303@redhat.com> On 09/24/2015 08:32 AM, Aric Wilisch wrote: > I need a way to validate that both the primary and the redundant FreeIPA server?s DNS zones are in sync. What?s the simplest way for me to do this? Do a DNS query to confirm that the SOA record for the primary is identical to the SOA for the secondary. > > My boss won?t let me continue with an upgrade until he?s sure the primary and redundant servers have the same DNS records and are in sync. I?ve tried finding documentation on this but keep coming up blank. > > Thanks in advance. > From mbasti at redhat.com Thu Sep 24 14:53:08 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Sep 2015 16:53:08 +0200 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <56040C03.10303@redhat.com> References: <56040C03.10303@redhat.com> Message-ID: <56040E54.5070802@redhat.com> On 09/24/2015 04:43 PM, Rich Megginson wrote: > On 09/24/2015 08:32 AM, Aric Wilisch wrote: >> I need a way to validate that both the primary and the redundant >> FreeIPA server?s DNS zones are in sync. What?s the simplest way for >> me to do this? > > Do a DNS query to confirm that the SOA record for the primary is > identical to the SOA for the secondary. SOA serials are not replicated. You can get all records via AXFR, and compare them per zone. Maybe you can use python-dns to do comparation http://www.dnspython.org/examples.html HTH Martin > >> >> My boss won?t let me continue with an upgrade until he?s sure the >> primary and redundant servers have the same DNS records and are in >> sync. I?ve tried finding documentation on this but keep coming up blank. >> >> Thanks in advance. >> > From rmeggins at redhat.com Thu Sep 24 15:02:38 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2015 09:02:38 -0600 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <56040E54.5070802@redhat.com> References: <56040C03.10303@redhat.com> <56040E54.5070802@redhat.com> Message-ID: <5604108E.3010604@redhat.com> On 09/24/2015 08:53 AM, Martin Basti wrote: > > > On 09/24/2015 04:43 PM, Rich Megginson wrote: >> On 09/24/2015 08:32 AM, Aric Wilisch wrote: >>> I need a way to validate that both the primary and the redundant >>> FreeIPA server?s DNS zones are in sync. What?s the simplest way for >>> me to do this? >> >> Do a DNS query to confirm that the SOA record for the primary is >> identical to the SOA for the secondary. > > SOA serials are not replicated. So with IPA you can have a master DNS and a replica DNS that have different SOA? Then the records are replicated using the standard IPA dirsrv replication protocol? In that case, doesn't ipa-replica-manage have a way to ask if the replicas are in sync? > > You can get all records via AXFR, and compare them per zone. > > Maybe you can use python-dns to do comparation > > http://www.dnspython.org/examples.html That seems pretty heavyweight if there are a lot records. > > HTH > Martin >> >>> >>> My boss won?t let me continue with an upgrade until he?s sure the >>> primary and redundant servers have the same DNS records and are in >>> sync. I?ve tried finding documentation on this but keep coming up >>> blank. >>> >>> Thanks in advance. >>> >> > From mbasti at redhat.com Thu Sep 24 15:13:22 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Sep 2015 17:13:22 +0200 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <5604108E.3010604@redhat.com> References: <56040C03.10303@redhat.com> <56040E54.5070802@redhat.com> <5604108E.3010604@redhat.com> Message-ID: <56041312.90906@redhat.com> On 09/24/2015 05:02 PM, Rich Megginson wrote: > On 09/24/2015 08:53 AM, Martin Basti wrote: >> >> >> On 09/24/2015 04:43 PM, Rich Megginson wrote: >>> On 09/24/2015 08:32 AM, Aric Wilisch wrote: >>>> I need a way to validate that both the primary and the redundant >>>> FreeIPA server?s DNS zones are in sync. What?s the simplest way for >>>> me to do this? >>> >>> Do a DNS query to confirm that the SOA record for the primary is >>> identical to the SOA for the secondary. >> >> SOA serials are not replicated. > > So with IPA you can have a master DNS and a replica DNS that have > different SOA? Just SOA serial, other records are replicated. > > Then the records are replicated using the standard IPA dirsrv > replication protocol? > > In that case, doesn't ipa-replica-manage have a way to ask if the > replicas are in sync? I don't think that ipa-replica-manage is capable to detect if replicas are in sync. AFAIK this feature is planned for future IPA versions. Inspecting DS error log may help to find replication issues if any. Martin > >> >> You can get all records via AXFR, and compare them per zone. >> >> Maybe you can use python-dns to do comparation >> >> http://www.dnspython.org/examples.html > > That seems pretty heavyweight if there are a lot records. > >> >> HTH >> Martin >>> >>>> >>>> My boss won?t let me continue with an upgrade until he?s sure the >>>> primary and redundant servers have the same DNS records and are in >>>> sync. I?ve tried finding documentation on this but keep coming up >>>> blank. >>>> >>>> Thanks in advance. >>>> >>> >> > From awilisch at gmail.com Thu Sep 24 15:24:42 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Thu, 24 Sep 2015 11:24:42 -0400 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <56041312.90906@redhat.com> References: <56040C03.10303@redhat.com> <56040E54.5070802@redhat.com> <5604108E.3010604@redhat.com> <56041312.90906@redhat.com> Message-ID: <2FBB27A4-70C7-49B9-B46A-EB7137C52244@gmail.com> Is there a way of exporting the DNS information out of Freeipa? Then I could just do a diff on the export from master and replica. > On Sep 24, 2015, at 11:13 AM, Martin Basti wrote: > > > > On 09/24/2015 05:02 PM, Rich Megginson wrote: >> On 09/24/2015 08:53 AM, Martin Basti wrote: >>> >>> >>> On 09/24/2015 04:43 PM, Rich Megginson wrote: >>>> On 09/24/2015 08:32 AM, Aric Wilisch wrote: >>>>> I need a way to validate that both the primary and the redundant FreeIPA server?s DNS zones are in sync. What?s the simplest way for me to do this? >>>> >>>> Do a DNS query to confirm that the SOA record for the primary is identical to the SOA for the secondary. >>> >>> SOA serials are not replicated. >> >> So with IPA you can have a master DNS and a replica DNS that have different SOA? > Just SOA serial, other records are replicated. > >> >> Then the records are replicated using the standard IPA dirsrv replication protocol? >> >> In that case, doesn't ipa-replica-manage have a way to ask if the replicas are in sync? > I don't think that ipa-replica-manage is capable to detect if replicas are in sync. > AFAIK this feature is planned for future IPA versions. > Inspecting DS error log may help to find replication issues if any. > > Martin > >> >>> >>> You can get all records via AXFR, and compare them per zone. >>> >>> Maybe you can use python-dns to do comparation >>> >>> http://www.dnspython.org/examples.html >> >> That seems pretty heavyweight if there are a lot records. >> >>> >>> HTH >>> Martin >>>> >>>>> >>>>> My boss won?t let me continue with an upgrade until he?s sure the primary and redundant servers have the same DNS records and are in sync. I?ve tried finding documentation on this but keep coming up blank. >>>>> >>>>> Thanks in advance. >>>>> >>>> >>> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From rmeggins at redhat.com Thu Sep 24 15:29:21 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2015 09:29:21 -0600 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <2FBB27A4-70C7-49B9-B46A-EB7137C52244@gmail.com> References: <56040C03.10303@redhat.com> <56040E54.5070802@redhat.com> <5604108E.3010604@redhat.com> <56041312.90906@redhat.com> <2FBB27A4-70C7-49B9-B46A-EB7137C52244@gmail.com> Message-ID: <560416D1.1060505@redhat.com> On 09/24/2015 09:24 AM, Aric Wilisch wrote: > Is there a way of exporting the DNS information out of Freeipa? Then I could just do a diff on the export from master and replica. That's what Martin was suggesting you use dnspython to do. > >> On Sep 24, 2015, at 11:13 AM, Martin Basti wrote: >> >> >> >> On 09/24/2015 05:02 PM, Rich Megginson wrote: >>> On 09/24/2015 08:53 AM, Martin Basti wrote: >>>> >>>> On 09/24/2015 04:43 PM, Rich Megginson wrote: >>>>> On 09/24/2015 08:32 AM, Aric Wilisch wrote: >>>>>> I need a way to validate that both the primary and the redundant FreeIPA server?s DNS zones are in sync. What?s the simplest way for me to do this? >>>>> Do a DNS query to confirm that the SOA record for the primary is identical to the SOA for the secondary. >>>> SOA serials are not replicated. >>> So with IPA you can have a master DNS and a replica DNS that have different SOA? >> Just SOA serial, other records are replicated. >> >>> Then the records are replicated using the standard IPA dirsrv replication protocol? >>> >>> In that case, doesn't ipa-replica-manage have a way to ask if the replicas are in sync? >> I don't think that ipa-replica-manage is capable to detect if replicas are in sync. >> AFAIK this feature is planned for future IPA versions. >> Inspecting DS error log may help to find replication issues if any. >> >> Martin >> >>>> You can get all records via AXFR, and compare them per zone. >>>> >>>> Maybe you can use python-dns to do comparation >>>> >>>> http://www.dnspython.org/examples.html >>> That seems pretty heavyweight if there are a lot records. >>> >>>> HTH >>>> Martin >>>>>> My boss won?t let me continue with an upgrade until he?s sure the primary and redundant servers have the same DNS records and are in sync. I?ve tried finding documentation on this but keep coming up blank. >>>>>> >>>>>> Thanks in advance. >>>>>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From hectorl at alumni.usc.edu Thu Sep 24 19:30:25 2015 From: hectorl at alumni.usc.edu (HECTOR LOPEZ) Date: Thu, 24 Sep 2015 12:30:25 -0700 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: <5603BD92.50108@redhat.com> References: <55FBC2AB.7060302@redhat.com> <560137B0.3080904@redhat.com> <5603BD92.50108@redhat.com> Message-ID: Theirry, wow I feel lucky! LOL I noticed that I can delete other users, but this one user always always causes the bug to rear its ugly head. This is a test user we created. # sclown, users, accounts, gseis.ucla.edu dn: uid=sclown,cn=users,cn=accounts,dc=gseis,dc=ucla,dc=edu employeeType: visitor cn: Shakes Clown objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh l: Los Angeles st: CA displayName: Shakes Clown gidNumber: 20 employeeNumber: VIS391880 gecos: Shakes Clown sn: Clown homeDirectory: /Network/Servers/ nh2.gseis.ucla.edu/Volumes/RAIDvolume/homes/vi sitor/sclown postalCode: 90095 mail: cretin at me.com krbPrincipalName: sclown at GSEIS.UCLA.EDU givenName: Shakes uid: sclown initials: SC userPassword:: e1NTSEF9Y1NXaEJRSVRrOWdidWpCcm5JTFlKWEUybktyYXBNRnB1eDBIQ0E9PQ= = ipaUniqueID: 2fab91a6-5812-11e5-9373-90b11c1a954a uidNumber: 194600031 krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES BBB9V2BLYkBSPUkzSld9ISlQoUkwR6ADAgESoUAEPiAAXL+ALNmUHfFz32S79pat/DF12z2A2CdLk Qo0gUU4ZTwXX+/W96c4gucMNgeRKUg/JXMcVOkzbHfKI/OIMFigGzAZoAMCAQShEgQQLUR6dz5SKC h0d0VbLHAhXqE5MDegAwIBEaEwBC4QACwGZrLUGf2mfQTLFfpIaWz2HKMnAgh2Jx4tFszywGEK+J3 dRZdWzL3EsY7dMGCgGzAZoAMCAQShEgQQYVY5PStNTSEzb2RxQ05FdaFBMD+gAwIBEKE4BDYYAGZx RtKZbhSzCnfwh2pilHetKJxIZSjE18+WLvj6H15Cb5+z5fq7rkZ/qy8OmTihkZmURQEwWKAbMBmgA wIBBKESBBBZWWY6JDhEdSpbUU8vYGNzoTkwN6ADAgEXoTAELhAA1qYSMtClf1w5DcsVzaMaotrE6F TbJbDBgVS8wahXA/WNg49ctWLqVnBgM7Y= krbPasswordExpiration: 20150910231802Z krbLastPwdChange: 20150910231802Z krbExtraData:: AAKqD/JVcm9vdC9hZG1pbkBHU0VJUy5VQ0xBLkVEVQA= mepManagedEntry: cn=sclown,cn=groups,cn=accounts,dc=gseis,dc=ucla,dc=edu memberOf: cn=ipausers,cn=groups,cn=accounts,dc=gseis,dc=ucla,dc=edu ipaNTSecurityIdentifier: S-1-5-21-2093508036-4063588109-728608799-1031 On Thu, Sep 24, 2015 at 2:08 AM, thierry bordaz wrote: > Hello Hector, > > You actually hit https://fedorahosted.org/389/ticket/47976. > I updated the ticket with your thread/data. > > This is a known deadlock with no fix yet. > This problem seemed to be quite rare but you are hitting it quite > frequently. > Did you identify a test case for it ? How frequently does it happen ? > > thanks > thierry > > On 09/23/2015 09:53 PM, HECTOR LOPEZ wrote: > > Thierry, > > I here is a fresh pstack of ns-slapd after ipa user-del hangs; > the db_stat output follows. Also, killing ns-slapd restores functionality > to ipactl restart: > > sh-4.2# gstack 6134 > Thread 45 (Thread 0x7fa9ce4a4700 (LWP 6136)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d247e4a7 in deadlock_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 44 (Thread 0x7fa9cdca3700 (LWP 6137)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d2482576 in checkpoint_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 43 (Thread 0x7fa9cd4a2700 (LWP 6138)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d247e71f in trickle_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 42 (Thread 0x7fa9ccca1700 (LWP 6139)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9d2479437 in perf_threadmain () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 41 (Thread 0x7fa9c7fff700 (LWP 6140)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d68e164e in cos_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libcos-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 40 (Thread 0x7fa9c77fe700 (LWP 6141)): > #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 > #1 0x00007fa9d426247c in ipa_cldap_worker () from > /usr/lib64/dirsrv/plugins/libipa_cldap.so > #2 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #3 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 39 (Thread 0x7fa9c6ffd700 (LWP 6142)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 38 (Thread 0x7fa9c67fc700 (LWP 6143)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 37 (Thread 0x7fa9c5ffb700 (LWP 6144)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9dfccd438 in slapi_wait_condvar () from > /usr/lib64/dirsrv/libslapd.so.0 > #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from > /usr/lib64/dirsrv/plugins/libroles-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 36 (Thread 0x7fa9c57fa700 (LWP 6145)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9e0181a93 in housecleaning () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 35 (Thread 0x7fa9c4ff9700 (LWP 6146)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9dfc74188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 34 (Thread 0x7fa9b7fff700 (LWP 6148)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 33 (Thread 0x7fa9b77fe700 (LWP 6149)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 32 (Thread 0x7fa9b6ffd700 (LWP 6150)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 31 (Thread 0x7fa9b67fc700 (LWP 6151)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 30 (Thread 0x7fa9b5ffb700 (LWP 6152)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 29 (Thread 0x7fa9b57fa700 (LWP 6153)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 28 (Thread 0x7fa9b4ff9700 (LWP 6154)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 27 (Thread 0x7fa9b47f8700 (LWP 6155)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 26 (Thread 0x7fa9b3ff7700 (LWP 6156)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 25 (Thread 0x7fa9b37f6700 (LWP 6157)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 24 (Thread 0x7fa9b2ff5700 (LWP 6158)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 23 (Thread 0x7fa9b27f4700 (LWP 6159)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 22 (Thread 0x7fa9b1ff3700 (LWP 6160)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 21 (Thread 0x7fa9b17f2700 (LWP 6161)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 20 (Thread 0x7fa9b0ff1700 (LWP 6162)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 19 (Thread 0x7fa9b07f0700 (LWP 6163)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 18 (Thread 0x7fa9affef700 (LWP 6164)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 17 (Thread 0x7fa9af7ee700 (LWP 6165)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 16 (Thread 0x7fa9aefed700 (LWP 6166)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 15 (Thread 0x7fa9ae7ec700 (LWP 6167)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 14 (Thread 0x7fa9adfeb700 (LWP 6168)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 13 (Thread 0x7fa9ad7ea700 (LWP 6169)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 12 (Thread 0x7fa9acfe9700 (LWP 6170)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 11 (Thread 0x7fa9ac7e8700 (LWP 6171)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 10 (Thread 0x7fa9abfe7700 (LWP 6172)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 9 (Thread 0x7fa9ab7e6700 (LWP 6173)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9d860e2f3 in __db_hybrid_mutex_suspend () from /lib64/ > libdb-5.3.so > #2 0x00007fa9d860d640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so > #3 0x00007fa9d86b7cea in __lock_get_internal () from /lib64/libdb-5.3.so > #4 0x00007fa9d86b87d0 in __lock_get () from /lib64/libdb-5.3.so > #5 0x00007fa9d86e4112 in __db_lget () from /lib64/libdb-5.3.so > #6 0x00007fa9d862b5f5 in __bam_search () from /lib64/libdb-5.3.so > #7 0x00007fa9d8616256 in __bamc_search () from /lib64/libdb-5.3.so > #8 0x00007fa9d8617d0f in __bamc_get () from /lib64/libdb-5.3.so > #9 0x00007fa9d86d0c56 in __dbc_iget () from /lib64/libdb-5.3.so > #10 0x00007fa9d86dd843 in __db_get () from /lib64/libdb-5.3.so > #11 0x00007fa9d86e1123 in __db_get_pp () from /lib64/libdb-5.3.so > #12 0x00007fa9d248949b in id2entry () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #13 0x00007fa9d24af7dd in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #14 0x00007fa9dfc60190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > #15 0x00007fa9dfc60342 in delete_internal_pb () from > /usr/lib64/dirsrv/libslapd.so.0 > #16 0x00007fa9d1da4739 in mep_del_post_op () from > /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so > #17 0x00007fa9dfcac280 in plugin_call_func () from > /usr/lib64/dirsrv/libslapd.so.0 > #18 0x00007fa9dfcac4d8 in plugin_call_plugins () from > /usr/lib64/dirsrv/libslapd.so.0 > #19 0x00007fa9d24ae42e in ldbm_back_delete () from > /usr/lib64/dirsrv/plugins/libback-ldbm.so > #20 0x00007fa9dfc60190 in op_shared_delete () from > /usr/lib64/dirsrv/libslapd.so.0 > #21 0x00007fa9dfc60453 in do_delete () from /usr/lib64/dirsrv/libslapd.so.0 > #22 0x00007fa9e017a37e in connection_threadmain () > #23 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #24 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #25 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 8 (Thread 0x7fa9aafe5700 (LWP 6174)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 7 (Thread 0x7fa9aa7e4700 (LWP 6175)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 6 (Thread 0x7fa9a9fe3700 (LWP 6176)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 5 (Thread 0x7fa9a97e2700 (LWP 6177)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e017865e in connection_wait_for_new_work () > #3 0x00007fa9e017988d in connection_threadmain () > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 4 (Thread 0x7fa9a8fe1700 (LWP 6178)): > #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 > #1 0x00007fa9dfcdd459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 > #2 0x00007fa9e017b2c5 in time_thread () > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fa93bfff700 (LWP 6220)): > #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so > #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so > #3 0x00007fa9d66d6374 in sync_send_results () from > /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so > #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fa93b7fe700 (LWP 6514)): > #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 () from > /lib64/libpthread.so.0 > #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so > #2 0x00007fa9e0185c85 in ps_send_results () > #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so > #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 > #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fa9e0142840 (LWP 6134)): > #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 > #1 0x00007fa9de098967 in _pr_poll_with_poll () from /lib64/libnspr4.so > #2 0x00007fa9e017df59 in slapd_daemon () > #3 0x00007fa9e017117c in main () > > here is the db_stat: > > Default locking region information: > 902 Last allocated locker ID > 0x7fffffff Current maximum unused locker ID > 9 Number of lock modes > 200 Initial number of locks allocated > 0 Initial number of lockers allocated > 200 Initial number of lock objects allocated > 10000 Maximum number of locks possible > 10000 Maximum number of lockers possible > 10000 Maximum number of lock objects possible > 390 Current number of locks allocated > 188 Current number of lockers allocated > 250 Current number of lock objects allocated > 40 Number of lock object partitions > 8191 Size of object hash table > 314 Number of current locks > 338 Maximum number of locks at any one time > 4 Maximum number of locks in any one bucket > 457 Maximum number of locks stolen by for an empty partition > 23 Maximum number of locks stolen for any one partition > 160 Number of current lockers > 162 Maximum number of lockers at any one time > 216 Number of current lock objects > 224 Maximum number of lock objects at any one time > 2 Maximum number of lock objects in any one bucket > 68 Maximum number of objects stolen by for an empty partition > 7 Maximum number of objects stolen for any one partition > 1547826 Total number of locks requested > 1546707 Total number of locks released > 0 Total number of locks upgraded > 74 Total number of locks downgraded > 38 Lock requests not available due to conflicts, for which we waited > 54 Lock requests not available due to conflicts, for which we did not > wait > 0 Number of deadlocks > 0 Lock timeout value > 0 Number of locks that have timed out > 0 Transaction timeout value > 0 Number of transactions that have timed out > 2MB 304KB Region size > 14 The number of partition locks that required waiting (0%) > 9 The maximum number of times any partition lock was waited for (0%) > 0 The number of object queue operations that required waiting (0%) > 1 The number of locker allocations that required waiting (0%) > 2 The number of region locks that required waiting (0%) > 3 Maximum hash bucket length > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock REGINFO information: > Environment Region type > 1 Region ID > /var/lib/dirsrv/slapd-/db/__db.001 Region name > 0x7fdb35b3d000 Region address > 0x7fdb35b3d0a0 Region allocation head > 0x7fdb35b452b0 Region primary address > 0 Region maximum allocation > 0 Region allocated > Region allocations: 31186 allocations, 0 failures, 30915 frees, 3 longest > Allocations by power-of-two sizes: > 1KB 31169 > 2KB 3 > 4KB 6 > 8KB 5 > 16KB 0 > 32KB 1 > 64KB 0 > 128KB 0 > 256KB 2 > 512KB 0 > 1024KB 1 > REGION_SHARED Region flags > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock region parameters: > 2 Lock region region mutex [2/487136 0% !Own] > 16381 locker table size > 8191 object table size > 34128 obj_off > 889656 locker_off > 0 need_dd > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lock conflict matrix: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Locks grouped by lockers: > Locker Mode Count Status ----------------- Object --------------- > 2 dd=158 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2 READ 1 HELD userRoot/id2entry.db handle 0 > 3 dd=157 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 4 dd=156 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4 READ 1 HELD ipaca/id2entry.db handle 0 > 5 dd=155 locks held 0 write locks 0 pid/thread > 6134/140366787315456 flags 0 priority 100 > 6 dd=154 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 6 READ 1 HELD ipaca/entryrdn.db handle 0 > 7 dd=153 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 8 dd=152 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 9 dd=151 locks held 0 write locks 0 pid/thread > 6134/140366694995712 flags 0 priority 100 > a dd=150 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db > handle 0 > c dd=149 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > c READ 1 HELD > ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 > d dd=148 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > d READ 1 HELD > ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 > e dd=147 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > e READ 1 HELD > ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 > 15 dd=146 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db > handle 0 > 16 dd=145 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 16 READ 1 HELD > ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 > 17 dd=144 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 17 READ 1 HELD > ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 > 18 dd=143 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db > handle 0 > 1d dd=142 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db > handle 0 > 1e dd=141 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 1e READ 1 HELD > ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 > 21 dd=140 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db > handle 0 > 22 dd=139 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db > handle 0 > 23 dd=138 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 23 READ 1 HELD > ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 > 2c dd=137 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2c READ 1 HELD changelog/id2entry.db handle 0 > 2d dd=136 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 2e dd=135 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 2e READ 1 HELD changelog/entryusn.db handle 0 > 2f dd=134 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 30 dd=133 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 30 READ 1 HELD userRoot/entryusn.db handle 0 > 31 dd=132 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 32 dd=131 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 32 READ 1 HELD ipaca/entryusn.db handle 0 > 33 dd=130 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 34 dd=129 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 34 READ 1 HELD userRoot/entryrdn.db handle 0 > 35 dd=128 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 36 dd=127 locks held 0 write locks 0 pid/thread > 6134/140366703388416 flags 0 priority 100 > 36 READ 1 WAIT userRoot/id2entry.db page 2 > 37 dd=126 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 38 dd=125 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 38 READ 1 HELD userRoot/objectclass.db handle 0 > 39 dd=124 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 3a dd=123 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 3a READ 1 HELD userRoot/ancestorid.db handle 0 > 3b dd=122 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 3c dd=121 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 3c READ 1 HELD changelog/entryrdn.db handle 0 > 3d dd=120 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 3e dd=119 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 3f dd=118 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 40 dd=117 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 40 READ 1 HELD changelog/objectclass.db handle 0 > 41 dd=116 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 42 dd=115 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 43 dd=114 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > 43 READ 1 WAIT userRoot/objectclass.db page 2 > 44 dd=113 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 44 READ 1 HELD ipaca/objectclass.db handle 0 > 45 dd=112 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 46 dd=111 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 47 dd=110 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 47 READ 1 HELD changelog/aci.db handle 0 > 48 dd=109 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 49 dd=108 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 49 READ 1 HELD userRoot/aci.db handle 0 > 4a dd=107 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 4b dd=106 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 4c dd=105 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > 4d dd=104 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4d READ 1 HELD ipaca/aci.db handle 0 > 4e dd=103 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 4f dd=102 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 4f READ 1 HELD userRoot/parentid.db handle 0 > 50 dd=101 locks held 0 write locks 0 pid/thread > 6134/140367585617984 flags 0 priority 100 > 51 dd=100 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 52 dd=99 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 52 READ 1 HELD changelog/nsuniqueid.db handle 0 > 53 dd=98 locks held 1 write locks 0 pid/thread > 6134/140367585617984 flags 10 priority 100 > 53 READ 1 HELD changelog/changenumber.db handle 0 > 54 dd=97 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 55 dd=96 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 56 dd=95 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 56 READ 1 HELD changelog/targetuniqueid.db handle > 0 > 57 dd=94 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 57 READ 1 HELD changelog/parentid.db handle 0 > 58 dd=93 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 58 READ 1 HELD changelog/ancestorid.db handle 0 > 59 dd=92 locks held 1 write locks 0 pid/thread > 6134/140367584454400 flags 10 priority 100 > 59 READ 1 HELD changelog/numsubordinates.db > handle 0 > 5a dd=91 locks held 0 write locks 0 pid/thread > 6134/140367584454400 flags 0 priority 100 > 5b dd=90 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 5c dd=89 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 5d dd=88 locks held 1 write locks 0 pid/thread > 6134/140366812493568 flags 10 priority 100 > 5d READ 1 HELD userRoot/krbPrincipalName.db > handle 0 > 5e dd=87 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 5f dd=86 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 60 dd=85 locks held 0 write locks 0 pid/thread > 6134/140366804100864 flags 0 priority 100 > 61 dd=84 locks held 1 write locks 0 pid/thread > 6134/140366694995712 flags 10 priority 100 > 61 READ 1 HELD userRoot/ipakrbprincipalalias.db > handle 0 > 62 dd=83 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 63 dd=82 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 64 dd=81 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 64 READ 1 HELD changelog/seeAlso.db handle 0 > 65 dd=80 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 66 dd=79 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 66 READ 1 HELD userRoot/seeAlso.db handle 0 > 67 dd=78 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 68 dd=77 locks held 1 write locks 0 pid/thread > 6134/140366762137344 flags 10 priority 100 > 68 READ 1 HELD ipaca/seeAlso.db handle 0 > 69 dd=76 locks held 0 write locks 0 pid/thread > 6134/140366820886272 flags 0 priority 100 > 6a dd=75 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6b dd=74 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6c dd=73 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 6d dd=72 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 6e dd=71 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 6f dd=70 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 70 dd=69 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 71 dd=68 locks held 1 write locks 0 pid/thread > 6134/140366669817600 flags 10 priority 100 > 71 READ 1 HELD ipaca/certstatus.db handle 0 > 72 dd=67 locks held 0 write locks 0 pid/thread > 6134/140366778922752 flags 0 priority 100 > 73 dd=66 locks held 0 write locks 0 pid/thread > 6134/140366871242496 flags 0 priority 100 > 74 dd=65 locks held 0 write locks 0 pid/thread > 6134/140366871242496 flags 0 priority 100 > 75 dd=64 locks held 1 write locks 0 pid/thread > 6134/140366812493568 flags 10 priority 100 > 75 READ 1 HELD ipaca/cn.db handle 0 > 76 dd=63 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 77 dd=62 locks held 1 write locks 0 pid/thread > 6134/140366745351936 flags 10 priority 100 > 77 READ 1 HELD ipaca/requeststate.db handle 0 > 78 dd=61 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > 79 dd=60 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 79 READ 1 HELD userRoot/gidnumber.db handle 0 > 7a dd=59 locks held 0 write locks 0 pid/thread > 6134/140366812493568 flags 0 priority 100 > 7b dd=58 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 7b READ 1 HELD userRoot/uidnumber.db handle 0 > 7c dd=57 locks held 0 write locks 0 pid/thread > 6134/140366795708160 flags 0 priority 100 > 7d dd=56 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 > 7e dd=55 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7e READ 1 HELD userRoot/numsubordinates.db handle > 0 > 7f dd=54 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 7f READ 1 HELD userRoot/member.db handle 0 > 80 dd=53 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 80 READ 1 HELD userRoot/uniquemember.db handle 0 > 81 dd=52 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 81 READ 1 HELD userRoot/owner.db handle 0 > 82 dd=51 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 82 READ 1 HELD userRoot/manager.db handle 0 > 83 dd=50 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 83 READ 1 HELD userRoot/secretary.db handle 0 > 84 dd=49 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 84 READ 1 HELD userRoot/memberUser.db handle 0 > 85 dd=48 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 85 READ 1 HELD userRoot/memberHost.db handle 0 > 86 dd=47 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 86 READ 1 HELD userRoot/sourcehost.db handle 0 > 87 dd=46 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 87 READ 1 HELD userRoot/memberservice.db handle 0 > 88 dd=45 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 88 READ 1 HELD userRoot/managedby.db handle 0 > 89 dd=44 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 89 READ 1 HELD userRoot/memberallowcmd.db handle 0 > 8a dd=43 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 > 8b dd=42 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 > 8c dd=41 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8c READ 1 HELD userRoot/ipasudorunasgroup.db > handle 0 > 8d dd=40 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db > handle 0 > 8e dd=39 locks held 1 write locks 0 pid/thread > 6134/140367131285248 flags 10 priority 100 > 8e READ 1 HELD userRoot/ipaassignedidview.db > handle 0 > 8f dd=38 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 90 dd=37 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 91 dd=36 locks held 1 write locks 0 pid/thread > 6134/140366736959232 flags 10 priority 100 > 91 READ 1 HELD userRoot/uid.db handle 0 > 92 dd=35 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 94 dd=34 locks held 0 write locks 0 pid/thread > 6134/140366720173824 flags 0 priority 100 > 95 dd=33 locks held 0 write locks 0 pid/thread > 6134/140366711781120 flags 0 priority 100 > 97 dd=32 locks held 1 write locks 0 pid/thread > 6134/140366711781120 flags 10 priority 100 > 97 READ 1 HELD userRoot/memberuid.db handle 0 > 98 dd=31 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > 99 dd=30 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 9a dd=29 locks held 1 write locks 0 pid/thread > 6134/140366728566528 flags 10 priority 100 > 9a READ 1 HELD userRoot/cn.db handle 0 > 9b dd=28 locks held 0 write locks 0 pid/thread > 6134/140366846064384 flags 0 priority 100 > 9c dd=27 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > 9d dd=26 locks held 0 write locks 0 pid/thread > 6134/140366787315456 flags 0 priority 100 > 9f dd=25 locks held 0 write locks 0 pid/thread > 6134/140366678210304 flags 0 priority 100 > a0 dd=24 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > a1 dd=23 locks held 0 write locks 0 pid/thread > 6134/140366904813312 flags 0 priority 100 > a2 dd=22 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > a4 dd=21 locks held 0 write locks 0 pid/thread > 6134/140366862849792 flags 0 priority 100 > da dd=20 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > db dd=19 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > dc dd=18 locks held 0 write locks 0 pid/thread > 6134/140366745351936 flags 0 priority 100 > dd dd=17 locks held 0 write locks 0 pid/thread > 6134/140366669817600 flags 0 priority 100 > 26a dd=16 locks held 0 write locks 0 pid/thread > 6134/140366913206016 flags 0 priority 100 > 274 dd=15 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 275 dd=14 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 276 dd=13 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 277 dd=12 locks held 0 write locks 0 pid/thread > 6134/140366896420608 flags 0 priority 100 > 37c dd=11 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37d dd=10 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37e dd= 9 locks held 0 write locks 0 pid/thread > 6134/140366736959232 flags 0 priority 100 > 37f dd= 8 locks held 1 write locks 0 pid/thread > 6134/140366854457088 flags 10 priority 100 > 37f READ 1 HELD userRoot/memberOf.db handle 0 > 380 dd= 7 locks held 0 write locks 0 pid/thread > 6134/140366854457088 flags 0 priority 100 > 381 dd= 5 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 381 READ 1 HELD userRoot/displayname.db handle 0 > 382 dd= 4 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 382 READ 1 HELD userRoot/sn.db handle 0 > 383 dd= 3 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 383 READ 1 HELD userRoot/mail.db handle 0 > 384 dd= 2 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 384 READ 1 HELD userRoot/givenName.db handle 0 > 385 dd= 1 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 > 386 dd= 0 locks held 1 write locks 0 pid/thread > 6134/140366703388416 flags 10 priority 100 > 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 > 80003201 dd= 6 locks held 234 write locks 110 pid/thread > 6134/140366703388416 flags 0 priority 100 > 80003201 READ 1 HELD userRoot/ipaassignedidview.db > page 1 > 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db > page 1 > 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db > page 1 > 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 > 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 > 80003201 READ 1 HELD userRoot/memberallowcmd.db page 1 > 80003201 READ 1 HELD userRoot/managedby.db page 4 > 80003201 READ 1 HELD userRoot/memberservice.db page 1 > 80003201 READ 1 HELD userRoot/sourcehost.db page 1 > 80003201 READ 1 HELD userRoot/memberHost.db page 1 > 80003201 READ 1 HELD userRoot/memberUser.db page 1 > 80003201 READ 1 HELD userRoot/secretary.db page 1 > 80003201 READ 1 HELD userRoot/manager.db page 1 > 80003201 READ 1 HELD userRoot/seeAlso.db page 1 > 80003201 READ 1 HELD userRoot/owner.db page 1 > 80003201 READ 1 HELD userRoot/uniquemember.db page 1 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 > 80003201 WRITE 2 HELD userRoot/member.db page 110 > 80003201 READ 1 HELD userRoot/member.db page 3 > 80003201 WRITE 2 HELD userRoot/member.db page 3 > 80003201 READ 1 HELD userRoot/member.db page 59 > 80003201 WRITE 2 HELD userRoot/member.db page 59 > 80003201 READ 1 HELD userRoot/memberOf.db page 4 > 80003201 READ 3 HELD userRoot/member.db page 110 > 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 > 80003201 READ 6 HELD changelog/entryrdn.db page 51 > 80003201 READ 4 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/id2entry.db page 661 > 80003201 WRITE 6 HELD changelog/objectclass.db page 1 > 80003201 WRITE 2 HELD changelog/targetuniqueid.db page > 45 > 80003201 WRITE 2 HELD changelog/changenumber.db page 2 > 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 > 80003201 WRITE 2 HELD changelog/parentid.db page 1 > 80003201 WRITE 2 HELD changelog/entryusn.db page 5 > 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 > 80003201 WRITE 2 HELD changelog/id2entry.db page 2 > 80003201 WRITE 2 HELD changelog/numsubordinates.db > page 1 > 80003201 WRITE 1 HELD userRoot/numsubordinates.db page > 1 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 > 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 > 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 > 80003201 READ 1 HELD userRoot/entryrdn.db page 68 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 > 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 > 80003201 READ 2 HELD userRoot/ancestorid.db page 3 > 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 > 80003201 READ 1 HELD userRoot/ancestorid.db page 4 > 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 > 80003201 READ 1 HELD userRoot/memberOf.db page 12 > 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 > 80003201 READ 2 HELD userRoot/entryusn.db page 8 > 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 > 80003201 READ 1 HELD userRoot/uidnumber.db page 4 > 80003201 WRITE 3 HELD userRoot/parentid.db page 1 > 80003201 READ 1 HELD userRoot/parentid.db page 1 > 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 > 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 > 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 > 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 > 80003201 WRITE 2 HELD userRoot/uid.db page 21 > 80003201 READ 1 HELD userRoot/uid.db page 21 > 80003201 WRITE 2 HELD userRoot/uid.db page 12 > 80003201 READ 1 HELD userRoot/uid.db page 12 > 80003201 WRITE 2 HELD userRoot/uid.db page 16 > 80003201 READ 1 HELD userRoot/uid.db page 16 > 80003201 WRITE 2 HELD userRoot/uid.db page 15 > 80003201 READ 1 HELD userRoot/uid.db page 15 > 80003201 WRITE 2 HELD userRoot/uid.db page 4 > 80003201 READ 1 HELD userRoot/uid.db page 4 > 80003201 WRITE 2 HELD userRoot/uid.db page 9 > 80003201 READ 1 HELD userRoot/uid.db page 9 > 80003201 WRITE 2 HELD userRoot/uid.db page 19 > 80003201 READ 1 HELD userRoot/uid.db page 19 > 80003201 WRITE 2 HELD userRoot/givenName.db page 27 > 80003201 READ 1 HELD userRoot/givenName.db page 27 > 80003201 WRITE 2 HELD userRoot/givenName.db page 3 > 80003201 READ 1 HELD userRoot/givenName.db page 3 > 80003201 WRITE 2 HELD userRoot/givenName.db page 22 > 80003201 READ 1 HELD userRoot/givenName.db page 22 > 80003201 WRITE 2 HELD userRoot/givenName.db page 11 > 80003201 READ 1 HELD userRoot/givenName.db page 11 > 80003201 WRITE 2 HELD userRoot/givenName.db page 17 > 80003201 READ 1 HELD userRoot/givenName.db page 17 > 80003201 WRITE 2 HELD userRoot/givenName.db page 15 > 80003201 READ 1 HELD userRoot/givenName.db page 15 > 80003201 WRITE 2 HELD userRoot/givenName.db page 16 > 80003201 READ 1 HELD userRoot/givenName.db page 16 > 80003201 WRITE 2 HELD userRoot/givenName.db page 25 > 80003201 READ 1 HELD userRoot/givenName.db page 25 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 11 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 11 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 10 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 10 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db page > 15 > 80003201 READ 3 HELD userRoot/krbPrincipalName.db page > 15 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 80 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 80 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 81 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 81 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 79 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 79 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 38 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 38 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 47 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 47 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 84 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 84 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 39 > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 39 > 80003201 WRITE 2 HELD userRoot/mail.db page 42 > 80003201 READ 1 HELD userRoot/mail.db page 42 > 80003201 WRITE 2 HELD userRoot/mail.db page 12 > 80003201 READ 1 HELD userRoot/mail.db page 12 > 80003201 WRITE 2 HELD userRoot/mail.db page 2 > 80003201 READ 1 HELD userRoot/mail.db page 2 > 80003201 WRITE 2 HELD userRoot/mail.db page 67 > 80003201 READ 1 HELD userRoot/mail.db page 67 > 80003201 WRITE 2 HELD userRoot/mail.db page 25 > 80003201 READ 1 HELD userRoot/mail.db page 25 > 80003201 WRITE 2 HELD userRoot/mail.db page 41 > 80003201 READ 1 HELD userRoot/mail.db page 41 > 80003201 WRITE 2 HELD userRoot/mail.db page 35 > 80003201 READ 1 HELD userRoot/mail.db page 35 > 80003201 WRITE 2 HELD userRoot/mail.db page 74 > 80003201 READ 1 HELD userRoot/mail.db page 74 > 80003201 WRITE 2 HELD userRoot/mail.db page 40 > 80003201 READ 1 HELD userRoot/mail.db page 40 > 80003201 WRITE 2 HELD userRoot/mail.db page 9 > 80003201 READ 1 HELD userRoot/mail.db page 9 > 80003201 WRITE 2 HELD userRoot/mail.db page 75 > 80003201 READ 1 HELD userRoot/mail.db page 75 > 80003201 WRITE 2 HELD userRoot/mail.db page 43 > 80003201 READ 1 HELD userRoot/mail.db page 43 > 80003201 WRITE 2 HELD userRoot/mail.db page 27 > 80003201 READ 1 HELD userRoot/mail.db page 27 > 80003201 WRITE 2 HELD userRoot/mail.db page 10 > 80003201 READ 1 HELD userRoot/mail.db page 10 > 80003201 WRITE 2 HELD userRoot/mail.db page 72 > 80003201 READ 1 HELD userRoot/mail.db page 72 > 80003201 WRITE 2 HELD userRoot/sn.db page 9 > 80003201 READ 1 HELD userRoot/sn.db page 9 > 80003201 WRITE 2 HELD userRoot/sn.db page 3 > 80003201 READ 1 HELD userRoot/sn.db page 3 > 80003201 WRITE 2 HELD userRoot/sn.db page 5 > 80003201 READ 1 HELD userRoot/sn.db page 5 > 80003201 WRITE 2 HELD userRoot/sn.db page 25 > 80003201 READ 1 HELD userRoot/sn.db page 25 > 80003201 WRITE 2 HELD userRoot/sn.db page 6 > 80003201 READ 1 HELD userRoot/sn.db page 6 > 80003201 WRITE 4 HELD userRoot/sn.db page 29 > 80003201 READ 2 HELD userRoot/sn.db page 29 > 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 > 80003201 READ 1 HELD userRoot/gidnumber.db page 2 > 80003201 WRITE 26 HELD userRoot/displayname.db page 1 > 80003201 READ 13 HELD userRoot/displayname.db page 1 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 > 80003201 READ 1 HELD userRoot/objectclass.db page 16 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 > 80003201 READ 1 HELD userRoot/objectclass.db page 9 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 > 80003201 READ 1 HELD userRoot/objectclass.db page 15 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 > 80003201 READ 1 HELD userRoot/objectclass.db page 18 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 > 80003201 READ 2 HELD userRoot/objectclass.db page 2 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 > 80003201 READ 2 HELD userRoot/objectclass.db page 8 > 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 > 80003201 READ 21 HELD userRoot/objectclass.db page 19 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 > 80003201 READ 2 HELD userRoot/objectclass.db page 3 > 80003201 WRITE 2 HELD userRoot/cn.db page 28 > 80003201 READ 1 HELD userRoot/cn.db page 28 > 80003201 WRITE 2 HELD userRoot/cn.db page 81 > 80003201 READ 1 HELD userRoot/cn.db page 81 > 80003201 WRITE 2 HELD userRoot/cn.db page 21 > 80003201 READ 1 HELD userRoot/cn.db page 21 > 80003201 WRITE 2 HELD userRoot/cn.db page 32 > 80003201 READ 1 HELD userRoot/cn.db page 32 > 80003201 WRITE 2 HELD userRoot/cn.db page 2 > 80003201 READ 1 HELD userRoot/cn.db page 2 > 80003201 WRITE 2 HELD userRoot/cn.db page 4 > 80003201 READ 1 HELD userRoot/cn.db page 4 > 80003201 WRITE 2 HELD userRoot/cn.db page 52 > 80003201 READ 1 HELD userRoot/cn.db page 52 > 80003201 WRITE 2 HELD userRoot/cn.db page 53 > 80003201 READ 1 HELD userRoot/cn.db page 53 > 80003201 WRITE 2 HELD userRoot/cn.db page 44 > 80003201 READ 1 HELD userRoot/cn.db page 44 > 80003201 WRITE 2 HELD userRoot/cn.db page 26 > 80003201 READ 1 HELD userRoot/cn.db page 26 > 80003201 WRITE 2 HELD userRoot/cn.db page 67 > 80003201 READ 1 HELD userRoot/cn.db page 67 > 80003201 WRITE 2 HELD userRoot/cn.db page 16 > 80003201 READ 1 HELD userRoot/cn.db page 16 > 80003201 WRITE 2 HELD userRoot/cn.db page 15 > 80003201 READ 1 HELD userRoot/cn.db page 15 > 80003201 WRITE 2 HELD userRoot/cn.db page 78 > 80003201 READ 1 HELD userRoot/cn.db page 78 > 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 > 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 > 80003201 READ 1 HELD userRoot/id2entry.db page 3 > 80003201 READ 1 HELD userRoot/entryrdn.db page 19 > 80003201 READ 1 HELD userRoot/id2entry.db page 8 > 80003201 READ 3 HELD userRoot/entryrdn.db page 69 > 80003201 READ 1 HELD userRoot/entryrdn.db page 4 > 80003201 READ 1 HELD userRoot/id2entry.db page 20 > 80003201 READ 10 HELD userRoot/entryrdn.db page 3 > 80003201 READ 1 HELD userRoot/id2entry.db page 5 > 80003201 READ 3 HELD userRoot/entryrdn.db page 23 > 80003201 READ 3 HELD userRoot/entryrdn.db page 28 > 80003201 READ 2 HELD userRoot/entryrdn.db page 9 > 80003201 READ 1 HELD userRoot/id2entry.db page 66 > 80003201 READ 5 HELD userRoot/entryrdn.db page 6 > 80003201 READ 5 HELD userRoot/entryrdn.db page 20 > 80003201 READ 10 HELD userRoot/entryrdn.db page 40 > 80003201 READ 14 HELD userRoot/entryrdn.db page 41 > 80003231 dd=4294967295 locks held 4 write locks 0 pid/thread > 6134/140366703388416 flags 0 priority 100 > 80003231 READ 1 HELD userRoot/id2entry.db page 1420 > 80003231 READ 2 HELD userRoot/entryrdn.db page 3 > 80003231 READ 1 HELD userRoot/entryrdn.db page 40 > 80003231 READ 1 HELD userRoot/entryrdn.db page 41 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Locks grouped by object: > Locker Mode Count Status ----------------- Object --------------- > 49 READ 1 HELD userRoot/aci.db handle 0 > > 61 READ 1 HELD userRoot/ipakrbprincipalalias.db > handle 0 > > 80003201 READ 1 HELD userRoot/seeAlso.db page 1 > > 66 READ 1 HELD userRoot/seeAlso.db handle 0 > > 75 READ 1 HELD ipaca/cn.db handle 0 > > 1d READ 1 HELD ipaca/vlv#cacompletepkitomcatindex.db > handle 0 > > 89 READ 1 HELD userRoot/memberallowcmd.db handle 0 > > 80003201 READ 1 HELD userRoot/memberallowcmd.db page 1 > > 82 READ 1 HELD userRoot/manager.db handle 0 > > 80003201 READ 1 HELD userRoot/manager.db page 1 > > 56 READ 1 HELD changelog/targetuniqueid.db handle > 0 > > 80003201 WRITE 2 HELD changelog/targetuniqueid.db page > 45 > > 21 READ 1 HELD ipaca/vlv#caenrollmentpkitomcatindex.db > handle 0 > > 83 READ 1 HELD userRoot/secretary.db handle 0 > > 80003201 READ 1 HELD userRoot/secretary.db page 1 > > 7b READ 1 HELD userRoot/uidnumber.db handle 0 > > 80003201 READ 1 HELD userRoot/uidnumber.db page 4 > 80003201 WRITE 2 HELD userRoot/uidnumber.db page 4 > > 386 READ 1 HELD userRoot/nscpEntryDN.db handle 0 > > 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db page 1 > > 58 READ 1 HELD changelog/ancestorid.db handle 0 > > 80003201 WRITE 2 HELD changelog/ancestorid.db page 1 > > 6 READ 1 HELD ipaca/entryrdn.db handle 0 > > 80003201 READ 1 HELD userRoot/cn.db page 67 > 80003201 WRITE 2 HELD userRoot/cn.db page 67 > > 80003201 READ 1 HELD userRoot/cn.db page 78 > 80003201 WRITE 2 HELD userRoot/cn.db page 78 > > 80003201 READ 1 HELD userRoot/cn.db page 81 > 80003201 WRITE 2 HELD userRoot/cn.db page 81 > > 381 READ 1 HELD userRoot/displayname.db handle 0 > > 80003201 READ 13 HELD userRoot/displayname.db page 1 > 80003201 WRITE 26 HELD userRoot/displayname.db page 1 > > 80003201 READ 1 HELD userRoot/cn.db page 32 > 80003201 WRITE 2 HELD userRoot/cn.db page 32 > > 80003201 READ 1 HELD userRoot/cn.db page 44 > 80003201 WRITE 2 HELD userRoot/cn.db page 44 > > 80003201 READ 1 HELD userRoot/cn.db page 52 > 80003201 WRITE 2 HELD userRoot/cn.db page 52 > > 80003201 READ 1 HELD userRoot/cn.db page 53 > 80003201 WRITE 2 HELD userRoot/cn.db page 53 > > 80003201 READ 1 HELD userRoot/cn.db page 4 > 80003201 WRITE 2 HELD userRoot/cn.db page 4 > > 80003201 READ 1 HELD userRoot/cn.db page 2 > 80003201 WRITE 2 HELD userRoot/cn.db page 2 > > 9a READ 1 HELD userRoot/cn.db handle 0 > > 80003201 READ 1 HELD userRoot/cn.db page 15 > 80003201 WRITE 2 HELD userRoot/cn.db page 15 > > 80003201 READ 1 HELD userRoot/cn.db page 21 > 80003201 WRITE 2 HELD userRoot/cn.db page 21 > > 80003201 READ 1 HELD userRoot/cn.db page 16 > 80003201 WRITE 2 HELD userRoot/cn.db page 16 > > 80003201 READ 1 HELD userRoot/cn.db page 28 > 80003201 WRITE 2 HELD userRoot/cn.db page 28 > > 80003201 READ 1 HELD userRoot/cn.db page 26 > 80003201 WRITE 2 HELD userRoot/cn.db page 26 > > 4d READ 1 HELD ipaca/aci.db handle 0 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 69 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 69 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 68 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 68 > > 80003201 READ 14 HELD userRoot/entryrdn.db page 41 > 80003231 READ 1 HELD userRoot/entryrdn.db page 41 > > 80003201 READ 10 HELD userRoot/entryrdn.db page 40 > 80003231 READ 1 HELD userRoot/entryrdn.db page 40 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 4 > > 80003201 READ 5 HELD userRoot/entryrdn.db page 6 > > 34 READ 1 HELD userRoot/entryrdn.db handle 0 > > 80003201 READ 10 HELD userRoot/entryrdn.db page 3 > 80003201 WRITE 3 HELD userRoot/entryrdn.db page 3 > 80003231 READ 2 HELD userRoot/entryrdn.db page 3 > > 80003201 READ 2 HELD userRoot/entryrdn.db page 9 > > 80003201 READ 5 HELD userRoot/entryrdn.db page 20 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 23 > > 80003201 READ 1 HELD userRoot/entryrdn.db page 19 > > 80003201 READ 3 HELD userRoot/entryrdn.db page 28 > > 80003201 READ 1 HELD userRoot/givenName.db page 3 > 80003201 WRITE 2 HELD userRoot/givenName.db page 3 > > 384 READ 1 HELD userRoot/givenName.db handle 0 > > 80003201 READ 1 HELD userRoot/givenName.db page 11 > 80003201 WRITE 2 HELD userRoot/givenName.db page 11 > > 80003201 READ 1 HELD userRoot/givenName.db page 15 > 80003201 WRITE 2 HELD userRoot/givenName.db page 15 > > 80003201 READ 1 HELD userRoot/givenName.db page 17 > 80003201 WRITE 2 HELD userRoot/givenName.db page 17 > > 80003201 READ 1 HELD userRoot/givenName.db page 16 > 80003201 WRITE 2 HELD userRoot/givenName.db page 16 > > 80003201 READ 1 HELD userRoot/givenName.db page 22 > 80003201 WRITE 2 HELD userRoot/givenName.db page 22 > > 80003201 READ 1 HELD userRoot/givenName.db page 27 > 80003201 WRITE 2 HELD userRoot/givenName.db page 27 > > 80003201 READ 1 HELD userRoot/givenName.db page 25 > 80003201 WRITE 2 HELD userRoot/givenName.db page 25 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 47 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 47 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 39 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 39 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 38 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 38 > > 23 READ 1 HELD > ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 9 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 9 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 8 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 8 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 11 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 11 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 10 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 10 > > 80003201 READ 3 HELD userRoot/krbPrincipalName.db page > 15 > 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db page > 15 > > 5d READ 1 HELD userRoot/krbPrincipalName.db > handle 0 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 3 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 3 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 2 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 2 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db > page 4 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db > page 4 > > 80003201 READ 2 HELD userRoot/krbPrincipalName.db > page 6 > 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db > page 6 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 79 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 79 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 81 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 81 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 80 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 80 > > 80003201 READ 1 HELD userRoot/krbPrincipalName.db page > 84 > 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db page > 84 > > 2c READ 1 HELD changelog/id2entry.db handle 0 > > 80003201 WRITE 2 HELD changelog/id2entry.db page 2 > > a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db > handle 0 > > 44 READ 1 HELD ipaca/objectclass.db handle 0 > > 80003201 READ 1 HELD userRoot/gidnumber.db page 2 > 80003201 WRITE 2 HELD userRoot/gidnumber.db page 2 > > 79 READ 1 HELD userRoot/gidnumber.db handle 0 > > 77 READ 1 HELD ipaca/requeststate.db handle 0 > > 80003201 WRITE 2 HELD changelog/id2entry.db page 661 > > 385 READ 1 HELD userRoot/ipauniqueid.db handle 0 > > 80003201 READ 1 HELD userRoot/ipauniqueid.db page 5 > 80003201 WRITE 2 HELD userRoot/ipauniqueid.db page 5 > > c READ 1 HELD > ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 > > 16 READ 1 HELD > ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 > > 80003201 WRITE 2 HELD changelog/entryusn.db page 5 > > 2e READ 1 HELD changelog/entryusn.db handle 0 > > 80003201 READ 2 HELD userRoot/sn.db page 29 > 80003201 WRITE 4 HELD userRoot/sn.db page 29 > > 80003201 READ 1 HELD userRoot/sn.db page 25 > 80003201 WRITE 2 HELD userRoot/sn.db page 25 > > 80003201 READ 1 HELD userRoot/sn.db page 6 > 80003201 WRITE 2 HELD userRoot/sn.db page 6 > > 80003201 READ 1 HELD userRoot/sn.db page 5 > 80003201 WRITE 2 HELD userRoot/sn.db page 5 > > 80003201 READ 1 HELD userRoot/sn.db page 3 > 80003201 WRITE 2 HELD userRoot/sn.db page 3 > > 382 READ 1 HELD userRoot/sn.db handle 0 > > 80003201 READ 1 HELD userRoot/sn.db page 9 > 80003201 WRITE 2 HELD userRoot/sn.db page 9 > > 4 READ 1 HELD ipaca/id2entry.db handle 0 > > 80003201 READ 1 HELD userRoot/owner.db page 1 > > 81 READ 1 HELD userRoot/owner.db handle 0 > > 7d READ 1 HELD userRoot/nsuniqueid.db handle 0 > > 80003201 READ 1 HELD userRoot/nsuniqueid.db page 2 > 80003201 WRITE 3 HELD userRoot/nsuniqueid.db page 2 > > 32 READ 1 HELD ipaca/entryusn.db handle 0 > > 91 READ 1 HELD userRoot/uid.db handle 0 > > 80003201 READ 1 HELD userRoot/uid.db page 4 > 80003201 WRITE 2 HELD userRoot/uid.db page 4 > > 80003201 READ 1 HELD userRoot/uid.db page 9 > 80003201 WRITE 2 HELD userRoot/uid.db page 9 > > 80003201 READ 1 HELD userRoot/uid.db page 15 > 80003201 WRITE 2 HELD userRoot/uid.db page 15 > > 80003201 READ 1 HELD userRoot/uid.db page 12 > 80003201 WRITE 2 HELD userRoot/uid.db page 12 > > 80003201 READ 1 HELD userRoot/uid.db page 19 > 80003201 WRITE 2 HELD userRoot/uid.db page 19 > > 80003201 READ 1 HELD userRoot/uid.db page 16 > 80003201 WRITE 2 HELD userRoot/uid.db page 16 > > 52 READ 1 HELD changelog/nsuniqueid.db handle 0 > > 7e READ 1 HELD userRoot/numsubordinates.db handle > 0 > > 80003201 WRITE 1 HELD userRoot/numsubordinates.db page > 1 > > 80003201 READ 1 HELD userRoot/uid.db page 21 > 80003201 WRITE 2 HELD userRoot/uid.db page 21 > > 80003201 READ 2 HELD changelog/nsuniqueid.db page 18 > 80003201 WRITE 2 HELD changelog/nsuniqueid.db page 18 > > 80003201 READ 1 HELD userRoot/memberdenycmd.db page 1 > > 8a READ 1 HELD userRoot/memberdenycmd.db handle 0 > > 8c READ 1 HELD userRoot/ipasudorunasgroup.db > handle 0 > > 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db > page 1 > > 80003201 READ 1 HELD userRoot/id2entry.db page 66 > > 47 READ 1 HELD changelog/aci.db handle 0 > > 80003201 READ 1 HELD userRoot/id2entry.db page 20 > > 80003201 READ 1 HELD userRoot/id2entry.db page 8 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 6 > > 80003201 READ 1 HELD userRoot/id2entry.db page 5 > > 80003201 READ 1 HELD userRoot/id2entry.db page 3 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 2 > 36 READ 1 WAIT userRoot/id2entry.db page 2 > > 80003201 WRITE 24 HELD userRoot/id2entry.db page 0 > > 2 READ 1 HELD userRoot/id2entry.db handle 0 > > 80003201 READ 1 HELD userRoot/memberUser.db page 1 > > 84 READ 1 HELD userRoot/memberUser.db handle 0 > > 80003201 WRITE 6 HELD changelog/objectclass.db page 1 > > 40 READ 1 HELD changelog/objectclass.db handle 0 > > 8b READ 1 HELD userRoot/ipasudorunas.db handle 0 > > 80003201 READ 1 HELD userRoot/ipasudorunas.db page 1 > > 15 READ 1 HELD ipaca/vlv#allvalidcertspkitomcatindex.db > handle 0 > > 57 READ 1 HELD changelog/parentid.db handle 0 > > 80003201 WRITE 2 HELD changelog/parentid.db page 1 > > 86 READ 1 HELD userRoot/sourcehost.db handle 0 > > 80003201 READ 1 HELD userRoot/sourcehost.db page 1 > > 80003201 WRITE 2 HELD changelog/entryrdn.db page 85 > > 3c READ 1 HELD changelog/entryrdn.db handle 0 > > 80003201 READ 4 HELD changelog/entryrdn.db page 13 > 80003201 WRITE 2 HELD changelog/entryrdn.db page 13 > > 80003201 READ 1 HELD userRoot/ipaassignedidview.db > page 1 > > 8e READ 1 HELD userRoot/ipaassignedidview.db > handle 0 > > 80003201 WRITE 1 HELD userRoot/id2entry.db page 1420 > 80003231 READ 1 HELD userRoot/id2entry.db page 1420 > > 80003201 READ 6 HELD changelog/entryrdn.db page 51 > > 80003201 READ 1 HELD userRoot/memberOf.db page 4 > > 80003201 WRITE 2 HELD changelog/entryrdn.db page 63 > > 37f READ 1 HELD userRoot/memberOf.db handle 0 > > 80003201 READ 1 HELD userRoot/memberOf.db page 12 > 80003201 WRITE 2 HELD userRoot/memberOf.db page 12 > > 80003201 READ 1 HELD userRoot/ipatokenradiusconfiglink.db > page 1 > > 8d READ 1 HELD userRoot/ipatokenradiusconfiglink.db > handle 0 > > 80003201 READ 1 HELD userRoot/managedby.db page 4 > > 68 READ 1 HELD ipaca/seeAlso.db handle 0 > > 88 READ 1 HELD userRoot/managedby.db handle 0 > > 22 READ 1 HELD ipaca/vlv#capendingpkitomcatindex.db > handle 0 > > 1e READ 1 HELD > ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 > > 85 READ 1 HELD userRoot/memberHost.db handle 0 > > 80003201 READ 1 HELD userRoot/memberHost.db page 1 > > 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db > handle 0 > > 97 READ 1 HELD userRoot/memberuid.db handle 0 > > 87 READ 1 HELD userRoot/memberservice.db handle 0 > > 80003201 READ 1 HELD userRoot/memberservice.db page 1 > > 80003201 READ 1 HELD userRoot/parentid.db page 1 > 80003201 WRITE 3 HELD userRoot/parentid.db page 1 > > 4f READ 1 HELD userRoot/parentid.db handle 0 > > 80003201 WRITE 2 HELD changelog/changenumber.db page 2 > > 53 READ 1 HELD changelog/changenumber.db handle 0 > > 64 READ 1 HELD changelog/seeAlso.db handle 0 > > 80003201 READ 2 HELD userRoot/entryusn.db page 8 > 80003201 WRITE 6 HELD userRoot/entryusn.db page 8 > > 30 READ 1 HELD userRoot/entryusn.db handle 0 > > 80003201 READ 1 HELD userRoot/ancestorid.db page 4 > 80003201 WRITE 2 HELD userRoot/ancestorid.db page 4 > > 3a READ 1 HELD userRoot/ancestorid.db handle 0 > > 80003201 READ 2 HELD userRoot/ancestorid.db page 3 > 80003201 WRITE 4 HELD userRoot/ancestorid.db page 3 > > 80003201 READ 1 HELD userRoot/mail.db page 67 > 80003201 WRITE 2 HELD userRoot/mail.db page 67 > > 80003201 READ 1 HELD userRoot/mail.db page 72 > 80003201 WRITE 2 HELD userRoot/mail.db page 72 > > 80003201 READ 1 HELD userRoot/mail.db page 74 > 80003201 WRITE 2 HELD userRoot/mail.db page 74 > > 80003201 READ 1 HELD userRoot/mail.db page 75 > 80003201 WRITE 2 HELD userRoot/mail.db page 75 > > 383 READ 1 HELD userRoot/mail.db handle 0 > > 80003201 READ 1 HELD userRoot/mail.db page 2 > 80003201 WRITE 2 HELD userRoot/mail.db page 2 > > 80003201 READ 1 HELD userRoot/mail.db page 12 > 80003201 WRITE 2 HELD userRoot/mail.db page 12 > > 80003201 READ 1 HELD userRoot/mail.db page 9 > 80003201 WRITE 2 HELD userRoot/mail.db page 9 > > 80003201 READ 1 HELD userRoot/mail.db page 10 > 80003201 WRITE 2 HELD userRoot/mail.db page 10 > > 80003201 READ 1 HELD userRoot/mail.db page 25 > 80003201 WRITE 2 HELD userRoot/mail.db page 25 > > 80003201 READ 1 HELD userRoot/mail.db page 27 > 80003201 WRITE 2 HELD userRoot/mail.db page 27 > > 80003201 READ 1 HELD userRoot/mail.db page 35 > 80003201 WRITE 2 HELD userRoot/mail.db page 35 > > 80003201 READ 1 HELD userRoot/mail.db page 40 > 80003201 WRITE 2 HELD userRoot/mail.db page 40 > > 80003201 READ 1 HELD userRoot/mail.db page 41 > 80003201 WRITE 2 HELD userRoot/mail.db page 41 > > 80003201 READ 1 HELD userRoot/mail.db page 42 > 80003201 WRITE 2 HELD userRoot/mail.db page 42 > > 80003201 READ 1 HELD userRoot/mail.db page 43 > 80003201 WRITE 2 HELD userRoot/mail.db page 43 > > d READ 1 HELD > ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 > > 80 READ 1 HELD userRoot/uniquemember.db handle 0 > > 80003201 READ 1 HELD userRoot/uniquemember.db page 1 > > 80003201 READ 1 HELD userRoot/member.db page 59 > 80003201 WRITE 2 HELD userRoot/member.db page 59 > > 80003201 READ 1 HELD userRoot/member.db page 3 > 80003201 WRITE 2 HELD userRoot/member.db page 3 > > 7f READ 1 HELD userRoot/member.db handle 0 > > 80003201 READ 3 HELD userRoot/member.db page 110 > 80003201 WRITE 2 HELD userRoot/member.db page 110 > > 59 READ 1 HELD changelog/numsubordinates.db > handle 0 > > 80003201 WRITE 2 HELD changelog/numsubordinates.db > page 1 > > e READ 1 HELD > ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 > > 71 READ 1 HELD ipaca/certstatus.db handle 0 > > 17 READ 1 HELD > ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 > > 80003201 READ 2 HELD userRoot/objectclass.db page 8 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 8 > > 80003201 READ 1 HELD userRoot/objectclass.db page 9 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 9 > > 80003201 READ 1 HELD userRoot/objectclass.db page 15 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 15 > > 80003201 READ 2 HELD userRoot/objectclass.db page 2 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 2 > 43 READ 1 WAIT userRoot/objectclass.db page 2 > > 80003201 READ 2 HELD userRoot/objectclass.db page 3 > 80003201 WRITE 4 HELD userRoot/objectclass.db page 3 > > 38 READ 1 HELD userRoot/objectclass.db handle 0 > > 80003201 READ 1 HELD userRoot/objectclass.db page 18 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 18 > > 80003201 READ 21 HELD userRoot/objectclass.db page 19 > 80003201 WRITE 6 HELD userRoot/objectclass.db page 19 > > 80003201 READ 1 HELD userRoot/objectclass.db page 16 > 80003201 WRITE 2 HELD userRoot/objectclass.db page 16 > > 80003201 WRITE 1 HELD userRoot/objectclass.db page 17 > > > On Tue, Sep 22, 2015 at 4:12 AM, thierry bordaz > wrote: > >> Hi, >> >> >> If it hangs again, could you get a pstack of the slapd process >> And also dump the db info >> 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This would help >> to know which thread holds the lock that that blocks those operations ? >> >> thanks >> thierry >> >> >> On 09/18/2015 09:20 PM, HECTOR LOPEZ wrote: >> >> Ludwig Krispenz, >> >> This is the output of gstack on ns-slapd (pstack on rhel), also killing >> the ns-slapd proces gave this error "ipa: ERROR: cannot connect to >> 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': " After that I could >> use ipactl restart and the command runs successfully. Thank you for >> helping me. Again, here is the pstack output of ns-slapd: >> >> >> -sh-4.2$ sudo gstack 2197 >> >> Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc11e4a7 in deadlock_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc122576 in checkpoint_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc11e71f in trickle_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3adc119437 in perf_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ae058164e in cos_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libcos-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): >> >> #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 >> >> #1 0x00007f3addf0247c in ipa_cldap_worker () from >> /usr/lib64/dirsrv/plugins/libipa_cldap.so >> >> #2 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae9e21a93 in housecleaning () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae9914188 in eq_loop () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ >> libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ >> libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ >> libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #21 0x00007f3ae99501de in search_internal_callback_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #22 0x00007f3ae9950478 in search_internal_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #23 0x00007f3ae9e291fb in ids_sasl_canon_user () >> >> #24 0x00007f3ae7afd93b in _sasl_canon_user () from /lib64/libsasl2.so.3 >> >> #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from >> /lib64/libsasl2.so.3 >> >> #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 () from >> /usr/lib64/sasl2/libcrammd5.so >> >> #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from >> /usr/lib64/sasl2/libcrammd5.so >> >> #28 0x00007f3ae7b09b88 in sasl_server_step () from /lib64/libsasl2.so.3 >> >> #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () >> >> #30 0x00007f3ae9e13b22 in do_bind () >> >> #31 0x00007f3ae9e1a43f in connection_threadmain () >> >> #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #33 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ >> libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007f3ae237fad2 in __dbc_get_pp () from /lib64/libdb-5.3.so >> >> #11 0x00007f3adc12d180 in idl_new_fetch () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc125dd4 in keys2idl () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #15 0x00007f3adc126b22 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #16 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #17 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #18 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #19 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3adc127b96 in list_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #21 0x00007f3adc126a90 in filter_candidates_ext () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #22 0x00007f3adc161fdc in subtree_candidates () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #23 0x00007f3adc1635f7 in ldbm_back_search () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #24 0x00007f3ae993fd49 in op_shared_search () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #25 0x00007f3ae9e2b07e in do_search () >> >> #26 0x00007f3ae9e1a405 in connection_threadmain () >> >> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #28 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from /lib64/ >> libdb-5.3.so >> >> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so >> >> #3 0x00007f3ae2357cea in __lock_get_internal () from /lib64/libdb-5.3.so >> >> #4 0x00007f3ae23587d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007f3ae2384112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007f3ae22cb5f5 in __bam_search () from /lib64/libdb-5.3.so >> >> #7 0x00007f3ae22b6256 in __bamc_search () from /lib64/libdb-5.3.so >> >> #8 0x00007f3ae22b7d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007f3ae2370c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007f3ae237d843 in __db_get () from /lib64/libdb-5.3.so >> >> #11 0x00007f3ae2381123 in __db_get_pp () from /lib64/libdb-5.3.so >> >> #12 0x00007f3adc12949b in id2entry () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #13 0x00007f3adc14f7dd in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #14 0x00007f3ae9900190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #15 0x00007f3ae9900342 in delete_internal_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #16 0x00007f3adba44739 in mep_del_post_op () from >> /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so >> >> #17 0x00007f3ae994c280 in plugin_call_func () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #18 0x00007f3ae994c4d8 in plugin_call_plugins () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #19 0x00007f3adc14e42e in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> >> #20 0x00007f3ae9900190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #21 0x00007f3ae9900453 in do_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> >> #22 0x00007f3ae9e1a37e in connection_threadmain () >> >> #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #24 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >> >> #3 0x00007f3ae9e1988d in connection_threadmain () >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): >> >> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >> >> #1 0x00007f3ae997d459 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 >> >> #2 0x00007f3ae9e1b2c5 in time_thread () >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): >> >> #0 0x00007f3ae76e1ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d36b07 in pt_TimedWait () from /lib64/libnspr4.so >> >> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #3 0x00007f3ae0376374 in sync_send_results () from >> /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so >> >> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #5 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): >> >> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 () from >> /lib64/libpthread.so.0 >> >> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from /lib64/libnspr4.so >> >> #2 0x00007f3ae9e25c85 in ps_send_results () >> >> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >> >> #4 0x00007f3ae76dddf5 in start_thread () from /lib64/libpthread.so.0 >> >> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >> >> Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): >> >> #0 0x00007f3ae76e3f7d in __lll_lock_wait () from /lib64/libpthread.so.0 >> >> #1 0x00007f3ae76dfd68 in _L_lock_975 () from /lib64/libpthread.so.0 >> >> #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from >> /lib64/libpthread.so.0 >> >> #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so >> >> #4 0x00007f3ae9e1def6 in slapd_daemon () >> >> #5 0x00007f3ae9e1117c in main () >> >> -sh-4.2$ >> >> On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz >> wrote: >> >>> >>> On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: >>> >>> This is rhel 7.1 with ipa version 4.1.0 >>> >>> user-show shows the user. However, if the user contains >>> ipaNTSecurityIdentifier: attribute, user-del hangs with no response. >>> >>> Meanwhile, the KDC and 389ds stop working. The only way to recover >>> functionality is to reboot the machine. ipactl restart does nothing. >>> >>> If it hangs again, could you get a pstack of the slapd process ? >>> If you then kill slapd, does ipactl restart work ? >>> >>> >>> In the ldap access log I see this when trying to delete user sclown: >>> >>> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL >>> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" >>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD >>> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" >>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 >>> nentries=0 etime=0 >>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH >>> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 >>> filter="(objectClass=securityDomainSessionEntry)" attrs="cn" >>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 >>> nentries=0 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore >>> notAfter duration extension subjectName userCertificate version algorithmId >>> signingAlgorithmId publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z >>> 1:0 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter >>> duration extension subjectName userCertificate version algorithmId >>> signingAlgorithmId publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z >>> 1:10 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo >>> notAfter notBefore duration extension subjectName userCertificate version >>> algorithmId signingAlgorithmId publicKeyData" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z >>> 0:0 (0) >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 >>> nentries=0 etime=0 notes=U >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH >>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" >>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND >>> >>> Then in the ldap error log I see this, which makes me think there is a >>> problem with the changelog: >>> >>> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for >>> changenumber=91314,cn=changelog from entryrdn index (-30993) >>> [14/Sep/2015:09:30:03 -0700] - Operation error fetching >>> changenumber=91314,cn=changelog (null), error -30993. >>> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error occured >>> while adding change number 91314, dn = changenumber=91314,cn=changelog: >>> Operations error. >>> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: operation >>> failure [1] >>> >>> After this both kdc and ldap stop responding. In the krb5kdc.log I see >>> server errors after the user-del command is run. The only way to resume >>> normal operations is to restart the whole machine. ipactl restart doesn't >>> work. >>> >>> Any help would be highly appreciated! >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Fri Sep 25 06:29:09 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 25 Sep 2015 08:29:09 +0200 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <1442926553.10697.70.camel@redhat.com> References: <1442926553.10697.70.camel@redhat.com> Message-ID: <20150925062909.GA2227@redhat.com> On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote: > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > Dear freeipa-users, > > > > I'm having an issue with otp in freeipa. I can set up the service as > > described in the blog post for TOTP or HOTP, and sync the token fine. > > When I try to login to the admin tools or an ipa-managed client > > (with ) , I get a password incorrect message. > > Here are some more details: https://github.com/adelton/docker-freeipa > > /issues/34 > > Can anyone help me to debug/get this working? > > I'm very unclear as to what you are trying to do. Are you trying to > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > ipa-otpd will require systemd in the container. Well, we have separate daemon listening on the /var/run/krb5kdc/DEFAULT.socket in the container which should start the ipa-otpd at .service when there's a connection made to it. But somehow it does not seem to be happening even if I fix the parsing of /etc/ipa/default.conf that ipa-otpd at .service is doing. What is the simplest way to trigger the connection to /var/run/krb5kdc/DEFAULT.socket, for debugging purposes? I haven't even been able to sync the token properly, which Duncan says in https://github.com/adelton/docker-freeipa/issues/34#issuecomment-123877080 was working for him. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Fri Sep 25 07:09:55 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 25 Sep 2015 10:09:55 +0300 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <20150925062909.GA2227@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <20150925062909.GA2227@redhat.com> Message-ID: <20150925070955.GB4144@redhat.com> On Fri, 25 Sep 2015, Jan Pazdziora wrote: >On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote: >> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: >> > Dear freeipa-users, >> > >> > I'm having an issue with otp in freeipa. I can set up the service as >> > described in the blog post for TOTP or HOTP, and sync the token fine. >> > When I try to login to the admin tools or an ipa-managed client >> > (with ) , I get a password incorrect message. >> > Here are some more details: https://github.com/adelton/docker-freeipa >> > /issues/34 >> > Can anyone help me to debug/get this working? >> >> I'm very unclear as to what you are trying to do. Are you trying to >> run FreeIPA in a container? If so, Jan is probably your man. AFAIK, >> ipa-otpd will require systemd in the container. > >Well, we have separate daemon listening on the >/var/run/krb5kdc/DEFAULT.socket in the container which should start >the ipa-otpd at .service when there's a connection made to it. But >somehow it does not seem to be happening even if I fix the parsing of >/etc/ipa/default.conf that ipa-otpd at .service is doing. As I wrote earlier, ipa-otpd relies on socket activation feature of systemd -- systemd opens this socket and listens for incoming connections. Any incoming connection causes to start ipa-otpd daemon and connects its stdin/stdout to the socket's client. >What is the simplest way to trigger the connection to >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes? Use socat. Something like socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd -- / Alexander Bokovoy From jpazdziora at redhat.com Fri Sep 25 07:22:19 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 25 Sep 2015 09:22:19 +0200 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <20150925070955.GB4144@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <20150925062909.GA2227@redhat.com> <20150925070955.GB4144@redhat.com> Message-ID: <20150925072219.GG2227@redhat.com> On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: > > > >Well, we have separate daemon listening on the > >/var/run/krb5kdc/DEFAULT.socket in the container which should start > >the ipa-otpd at .service when there's a connection made to it. But > >somehow it does not seem to be happening even if I fix the parsing of > >/etc/ipa/default.conf that ipa-otpd at .service is doing. > As I wrote earlier, ipa-otpd relies on socket activation feature of > systemd -- systemd opens this socket and listens for incoming > connections. Any incoming connection causes to start ipa-otpd daemon and > connects its stdin/stdout to the socket's client. And in the container there is no systemd so I emulate it there by just running a separate daemon listening on that socket which will fork that ipa-otpd daemon. > >What is the simplest way to trigger the connection to > >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes? > Use socat. Something like > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd I meant, how do I cause the IPA stack (KDC?) to make the connection and communication with the ipa-otpd daemon? Also, does the Sync OTP Token operation invoke the ipa-otpd daemon path (so if Duncan managed to sync the token, it worked for him at least once) in any way or does it bypass it? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Fri Sep 25 07:30:51 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 25 Sep 2015 10:30:51 +0300 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <20150925072219.GG2227@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <20150925062909.GA2227@redhat.com> <20150925070955.GB4144@redhat.com> <20150925072219.GG2227@redhat.com> Message-ID: <20150925073051.GC4144@redhat.com> On Fri, 25 Sep 2015, Jan Pazdziora wrote: >On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: >> > >> >Well, we have separate daemon listening on the >> >/var/run/krb5kdc/DEFAULT.socket in the container which should start >> >the ipa-otpd at .service when there's a connection made to it. But >> >somehow it does not seem to be happening even if I fix the parsing of >> >/etc/ipa/default.conf that ipa-otpd at .service is doing. >> As I wrote earlier, ipa-otpd relies on socket activation feature of >> systemd -- systemd opens this socket and listens for incoming >> connections. Any incoming connection causes to start ipa-otpd daemon and >> connects its stdin/stdout to the socket's client. > >And in the container there is no systemd so I emulate it there by just >running a separate daemon listening on that socket which will fork >that ipa-otpd daemon. You did write another daemon? socat is enough. >> >What is the simplest way to trigger the connection to >> >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes? >> Use socat. Something like >> socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd > >I meant, how do I cause the IPA stack (KDC?) to make the connection >and communication with the ipa-otpd daemon? Enable OTP tokens globally or for specific user in web UI, restart KDC. Create OTP token for a user and try to login via SSSD. >Also, does the Sync OTP Token operation invoke the ipa-otpd daemon >path (so if Duncan managed to sync the token, it worked for him at >least once) in any way or does it bypass it? No. It uses LDAP extended operation. -- / Alexander Bokovoy From jhrozek at redhat.com Fri Sep 25 08:06:36 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 25 Sep 2015 10:06:36 +0200 Subject: [Freeipa-users] sudo options/sss_cache In-Reply-To: References: Message-ID: <20150925080559.GH7272@hendrix.redhat.com> On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: > Hi > > I have 3 problems/questions with ipa and sudo... > > 1. How to make a GLOBAL sudo rule with all the options what I want to > have? (e.g. !authenticate). I have tried to make a sudo rule for all users > on all hosts whom all users but without command and it doesnt work... Do I > need to set it for each rule separately? Pavel (CC) would know this better, in native sudo there is a global entry but I keep forgetting what it is in IPA.. > > 2. How can I with sss_cache invalidate sudo rules? Do I need ever to kill > all files inside /var/lib/sssd/db? I dont see an option in sss_cache for > this :/ sss_cache can't do that because at the moment the sudo rule updates are kinda complex. See man sssd-sudo for all the different refreshes. You can either cycle sssd by sending it USR1 and then USR2 or tune the cache refreshes. > > 3. How long is the time where sssd invalidates the sudo rules and make a > new look into ipa? Can I set this time? See above. From pspacek at redhat.com Fri Sep 25 08:16:27 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 25 Sep 2015 10:16:27 +0200 Subject: [Freeipa-users] DNS Replication Validation In-Reply-To: <560416D1.1060505@redhat.com> References: <56040C03.10303@redhat.com> <56040E54.5070802@redhat.com> <5604108E.3010604@redhat.com> <56041312.90906@redhat.com> <2FBB27A4-70C7-49B9-B46A-EB7137C52244@gmail.com> <560416D1.1060505@redhat.com> Message-ID: <560502DB.6040505@redhat.com> On 24.9.2015 17:29, Rich Megginson wrote: > On 09/24/2015 09:24 AM, Aric Wilisch wrote: >> Is there a way of exporting the DNS information out of Freeipa? Then I could >> just do a diff on the export from master and replica. > > That's what Martin was suggesting you use dnspython to do. You can use ldns utils to do that, too. First of all, allow zone transfers from both servers and save them to a file: $ dig @server_1 zone.example AXFR > srv1.db $ dig @server_2 zone.example AXFR > srv2.db $ ldns-compare-zones -a -s srv1.db srv2.db In unsigned zones only SOA serial and SOA mname should be different. If the zone is DNSSEC-signed then there will be a lot of different RRSIG records and so on, you might experiment with ldns-read-zone -0 or -s to clear the differences. Also, do not forget to allow zone transfers for IP address of the client running dig: $ ipa dnszone-mod --allow-zone-transfer=';' I hope this helps. Petr^2 Spacek >>> On Sep 24, 2015, at 11:13 AM, Martin Basti wrote: >>> >>> >>> >>> On 09/24/2015 05:02 PM, Rich Megginson wrote: >>>> On 09/24/2015 08:53 AM, Martin Basti wrote: >>>>> >>>>> On 09/24/2015 04:43 PM, Rich Megginson wrote: >>>>>> On 09/24/2015 08:32 AM, Aric Wilisch wrote: >>>>>>> I need a way to validate that both the primary and the redundant >>>>>>> FreeIPA server?s DNS zones are in sync. What?s the simplest way for me >>>>>>> to do this? >>>>>> Do a DNS query to confirm that the SOA record for the primary is >>>>>> identical to the SOA for the secondary. >>>>> SOA serials are not replicated. >>>> So with IPA you can have a master DNS and a replica DNS that have >>>> different SOA? >>> Just SOA serial, other records are replicated. >>> >>>> Then the records are replicated using the standard IPA dirsrv replication >>>> protocol? >>>> >>>> In that case, doesn't ipa-replica-manage have a way to ask if the replicas >>>> are in sync? >>> I don't think that ipa-replica-manage is capable to detect if replicas are >>> in sync. >>> AFAIK this feature is planned for future IPA versions. >>> Inspecting DS error log may help to find replication issues if any. >>> >>> Martin >>> >>>>> You can get all records via AXFR, and compare them per zone. >>>>> >>>>> Maybe you can use python-dns to do comparation >>>>> >>>>> http://www.dnspython.org/examples.html >>>> That seems pretty heavyweight if there are a lot records. >>>> >>>>> HTH >>>>> Martin >>>>>>> My boss won?t let me continue with an upgrade until he?s sure the >>>>>>> primary and redundant servers have the same DNS records and are in >>>>>>> sync. I?ve tried finding documentation on this but keep coming up blank. >>>>>>> >>>>>>> Thanks in advance. From pspacek at redhat.com Fri Sep 25 08:27:31 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 25 Sep 2015 10:27:31 +0200 Subject: [Freeipa-users] IPA server failover In-Reply-To: <8b0ac4e811314ab9a6dc41b83aa6ed07@TCCCORPEXCH02.TCC.local> References: <4ef3bc3ac1734e23afecd957c6159615@TCCCORPEXCH02.TCC.local> <20150924051726.GC7201@redhat.com> <734b911b20b64458b1a973225d4656ff@TCCCORPEXCH02.TCC.local> <20150924132909.GF7201@redhat.com> <5603FF8B.8060704@redhat.com> <8b0ac4e811314ab9a6dc41b83aa6ed07@TCCCORPEXCH02.TCC.local> Message-ID: <56050573.1030009@redhat.com> On 24.9.2015 16:16, Andy Thompson wrote: > > >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >> bounces at redhat.com] On Behalf Of Petr Spacek >> Sent: Thursday, September 24, 2015 9:50 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA server failover >> >> On 24.9.2015 15:29, Alexander Bokovoy wrote: >>> On Thu, 24 Sep 2015, Andy Thompson wrote: >>>>> -----Original Message----- >>>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >>>>> Sent: Thursday, September 24, 2015 1:17 AM >>>>> To: Andy Thompson >>>>> Cc: freeipa-users at redhat.com >>>>> Subject: Re: [Freeipa-users] IPA server failover >>>>> >>>>> On Wed, 23 Sep 2015, Andy Thompson wrote: >>>>>> I've got all of my environments setup with two IPA servers. I'm >>>>>> fighting intermittent problems with krb5kdc crashing on them in all >>>>>> of my environments and I've opened a ticket with Redhat on that. >>>>>> What I can't figure out though is why the clients will not fail >>>>>> over to the second functioning server in the domain >>>>>> >>>>>> My sssd.conf files are all pretty generic from the install with >>>>>> minimal modification to add a couple settings. >>>>>> >>>>>> [domain/mhbe.lin] >>>>>> >>>>>> cache_credentials = True >>>>>> krb5_store_password_if_offline = True ipa_domain = mhbe.lin >>>>>> id_provider = ipa auth_provider = ipa access_provider = ipa >>>>>> ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa >>>>>> ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = >>>>>> /etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services >>>>>> = nss, sudo, pam, ssh config_file_version = 2 >>>>>> >>>>>> domains = mhbe.lin >>>>>> [nss] >>>>>> default_shell = /bin/bash >>>>>> homedir_substring = /home >>>>>> debug_level = 7 >>>>>> [pam] >>>>>> >>>>>> [sudo] >>>>>> >>>>>> [autofs] >>>>>> >>>>>> [ssh] >>>>>> >>>>>> [pac] >>>>>> >>>>>> [ifp] >>>>>> >>>>>> I thought the _srv_ would force it to use dns and both servers are >>>>>> round robined when digging the _kerberos records from DNS. So I >>>>>> don't understand why it's not working >>>>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries >>>>> are using /etc/krb5.conf for hints where to find KDCs. >>>>> >>>>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing >> 'kdc = ' >>>>> for specific realm would cause Kerberos clients to do DNS discovery >>>>> using SRV records. >>>>> >>>> >>>> Here are the contents of my krb conf with everything set to lookup >>>> and it doesn't appear to be working. >>>> >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [libdefaults] >>>> default_realm = MHBE.LIN >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> udp_preference_limit = 0 >>>> >>>> >>>> [realms] >>>> MHBE.LIN = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> >>>> } >>>> >>>> >>>> [domain_realm] >>>> .mhbe.lin = MHBE.LIN >>>> mhbe.lin = MHBE.LIN >>> I bet you have SSSD supplying you KDC info in >>> /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via >>> /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so >>> >>> You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), >>> see details in sssd-krb5(5). >> > > I will look into adding this setting. Why is this not the default configuration by the client install? > >> Also, I would recommend you to check SRV records in DNS: >> >> $ dig _kerberos._udp.mhbe.lin SRV >> >> It should list both servers (with non-zero priority). >> > > Ok both servers are in there but they have a zero priority. Those are the default records added by the install. Never mind, I got confused. Zero priority should not be an issue, because it is the same as with MX records - smaller number means higher priority. I.e. the DNS configuration sounds correct, I would continue with SSSD or krb5 libs debugging. I hope this helps. -- Petr^2 Spacek From tbordaz at redhat.com Fri Sep 25 08:50:44 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 25 Sep 2015 10:50:44 +0200 Subject: [Freeipa-users] user delete command hangs kdc and ldap stop responding In-Reply-To: References: <55FBC2AB.7060302@redhat.com> <560137B0.3080904@redhat.com> <5603BD92.50108@redhat.com> Message-ID: <56050AE4.5040806@redhat.com> Hector, I would need the mep configuration to try to reproduce. Do you mind to send the entry 'dn: cn=Managed Entries,cn=plugins,cn=config' like: dn: cn=Managed Entries,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Managed Entries nsslapd-pluginPath: libmanagedentries-plugin nsslapd-pluginInitfunc: mep_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Managed Entries nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Managed Entries plugin modifiersName: cn=directory manager modifyTimestamp: 20150925080029Z nsslapd-pluginConfigArea: *cn=Definitions,cn=Managed Entries,cn=etc,SUFFIX* And also a ldapsearch -s sub -D 'cn=directory manager' -w xxx -b "*cn=Definitions,cn=Managed Entries,cn=etc,SUFFIX*" thanks for your help thierry On 09/24/2015 09:30 PM, HECTOR LOPEZ wrote: > Theirry, > > wow I feel lucky! LOL I noticed that I can delete other users, but > this one user always always causes the bug to rear its ugly head. > This is a test user we created. > > # sclown, users, accounts, gseis.ucla.edu > dn: uid=sclown,cn=users,cn=accounts,dc=gseis,dc=ucla,dc=edu > employeeType: visitor > cn: Shakes Clown > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipantuserattrs > loginShell: /bin/sh > l: Los Angeles > st: CA > displayName: Shakes Clown > gidNumber: 20 > employeeNumber: VIS391880 > gecos: Shakes Clown > sn: Clown > homeDirectory: > /Network/Servers/nh2.gseis.ucla.edu/Volumes/RAIDvolume/homes/vi > > sitor/sclown > postalCode: 90095 > mail: cretin at me.com > krbPrincipalName: sclown at GSEIS.UCLA.EDU > givenName: Shakes > uid: sclown > initials: SC > userPassword:: > e1NTSEF9Y1NXaEJRSVRrOWdidWpCcm5JTFlKWEUybktyYXBNRnB1eDBIQ0E9PQ= > = > ipaUniqueID: 2fab91a6-5812-11e5-9373-90b11c1a954a > uidNumber: 194600031 > krbPrincipalKey:: > MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES > BBB9V2BLYkBSPUkzSld9ISlQoUkwR6ADAgESoUAEPiAAXL+ALNmUHfFz32S79pat/DF12z2A2CdLk > Qo0gUU4ZTwXX+/W96c4gucMNgeRKUg/JXMcVOkzbHfKI/OIMFigGzAZoAMCAQShEgQQLUR6dz5SKC > h0d0VbLHAhXqE5MDegAwIBEaEwBC4QACwGZrLUGf2mfQTLFfpIaWz2HKMnAgh2Jx4tFszywGEK+J3 > dRZdWzL3EsY7dMGCgGzAZoAMCAQShEgQQYVY5PStNTSEzb2RxQ05FdaFBMD+gAwIBEKE4BDYYAGZx > RtKZbhSzCnfwh2pilHetKJxIZSjE18+WLvj6H15Cb5+z5fq7rkZ/qy8OmTihkZmURQEwWKAbMBmgA > wIBBKESBBBZWWY6JDhEdSpbUU8vYGNzoTkwN6ADAgEXoTAELhAA1qYSMtClf1w5DcsVzaMaotrE6F > TbJbDBgVS8wahXA/WNg49ctWLqVnBgM7Y= > krbPasswordExpiration: 20150910231802Z > krbLastPwdChange: 20150910231802Z > krbExtraData:: AAKqD/JVcm9vdC9hZG1pbkBHU0VJUy5VQ0xBLkVEVQA= > mepManagedEntry: cn=sclown,cn=groups,cn=accounts,dc=gseis,dc=ucla,dc=edu > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=gseis,dc=ucla,dc=edu > ipaNTSecurityIdentifier: S-1-5-21-2093508036-4063588109-728608799-1031 > > > > On Thu, Sep 24, 2015 at 2:08 AM, thierry bordaz > wrote: > > Hello Hector, > > You actually hit https://fedorahosted.org/389/ticket/47976. > I updated the ticket with your thread/data. > > This is a known deadlock with no fix yet. > This problem seemed to be quite rare but you are hitting it quite > frequently. > Did you identify a test case for it ? How frequently does it happen ? > > thanks > thierry > > On 09/23/2015 09:53 PM, HECTOR LOPEZ wrote: >> Thierry, >> >> I here is a fresh pstack of ns-slapd after ipa user-del >> hangs; the db_stat output follows. Also, killing >> ns-slapd restores functionality to ipactl restart: >> >> sh-4.2# gstack 6134 >> Thread 45 (Thread 0x7fa9ce4a4700 (LWP 6136)): >> #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 >> #1 0x00007fa9dfcdd459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #2 0x00007fa9d247e4a7 in deadlock_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 44 (Thread 0x7fa9cdca3700 (LWP 6137)): >> #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 >> #1 0x00007fa9dfcdd459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #2 0x00007fa9d2482576 in checkpoint_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 43 (Thread 0x7fa9cd4a2700 (LWP 6138)): >> #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 >> #1 0x00007fa9dfcdd459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #2 0x00007fa9d247e71f in trickle_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 42 (Thread 0x7fa9ccca1700 (LWP 6139)): >> #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 >> #1 0x00007fa9dfcdd459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #2 0x00007fa9d2479437 in perf_threadmain () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 41 (Thread 0x7fa9c7fff700 (LWP 6140)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9dfccd438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #3 0x00007fa9d68e164e in cos_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libcos-plugin.so >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 40 (Thread 0x7fa9c77fe700 (LWP 6141)): >> #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 >> #1 0x00007fa9d426247c in ipa_cldap_worker () from >> /usr/lib64/dirsrv/plugins/libipa_cldap.so >> #2 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #3 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 39 (Thread 0x7fa9c6ffd700 (LWP 6142)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9dfccd438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 38 (Thread 0x7fa9c67fc700 (LWP 6143)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9dfccd438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 37 (Thread 0x7fa9c5ffb700 (LWP 6144)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9dfccd438 in slapi_wait_condvar () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #3 0x00007fa9d0b20edd in roles_cache_wait_on_change () from >> /usr/lib64/dirsrv/plugins/libroles-plugin.so >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 36 (Thread 0x7fa9c57fa700 (LWP 6145)): >> #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so >> #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so >> #3 0x00007fa9e0181a93 in housecleaning () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 35 (Thread 0x7fa9c4ff9700 (LWP 6146)): >> #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so >> #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so >> #3 0x00007fa9dfc74188 in eq_loop () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 34 (Thread 0x7fa9b7fff700 (LWP 6148)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 33 (Thread 0x7fa9b77fe700 (LWP 6149)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 32 (Thread 0x7fa9b6ffd700 (LWP 6150)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 31 (Thread 0x7fa9b67fc700 (LWP 6151)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 30 (Thread 0x7fa9b5ffb700 (LWP 6152)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 29 (Thread 0x7fa9b57fa700 (LWP 6153)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 28 (Thread 0x7fa9b4ff9700 (LWP 6154)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 27 (Thread 0x7fa9b47f8700 (LWP 6155)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 26 (Thread 0x7fa9b3ff7700 (LWP 6156)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 25 (Thread 0x7fa9b37f6700 (LWP 6157)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 24 (Thread 0x7fa9b2ff5700 (LWP 6158)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 23 (Thread 0x7fa9b27f4700 (LWP 6159)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 22 (Thread 0x7fa9b1ff3700 (LWP 6160)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 21 (Thread 0x7fa9b17f2700 (LWP 6161)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 20 (Thread 0x7fa9b0ff1700 (LWP 6162)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 19 (Thread 0x7fa9b07f0700 (LWP 6163)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 18 (Thread 0x7fa9affef700 (LWP 6164)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 17 (Thread 0x7fa9af7ee700 (LWP 6165)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 16 (Thread 0x7fa9aefed700 (LWP 6166)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 15 (Thread 0x7fa9ae7ec700 (LWP 6167)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 14 (Thread 0x7fa9adfeb700 (LWP 6168)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 13 (Thread 0x7fa9ad7ea700 (LWP 6169)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 12 (Thread 0x7fa9acfe9700 (LWP 6170)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 11 (Thread 0x7fa9ac7e8700 (LWP 6171)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 10 (Thread 0x7fa9abfe7700 (LWP 6172)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 9 (Thread 0x7fa9ab7e6700 (LWP 6173)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9d860e2f3 in __db_hybrid_mutex_suspend () from >> /lib64/libdb-5.3.so >> #2 0x00007fa9d860d640 in __db_tas_mutex_lock () from >> /lib64/libdb-5.3.so >> #3 0x00007fa9d86b7cea in __lock_get_internal () from >> /lib64/libdb-5.3.so >> #4 0x00007fa9d86b87d0 in __lock_get () from /lib64/libdb-5.3.so >> >> #5 0x00007fa9d86e4112 in __db_lget () from /lib64/libdb-5.3.so >> >> #6 0x00007fa9d862b5f5 in __bam_search () from >> /lib64/libdb-5.3.so >> #7 0x00007fa9d8616256 in __bamc_search () from >> /lib64/libdb-5.3.so >> #8 0x00007fa9d8617d0f in __bamc_get () from /lib64/libdb-5.3.so >> >> #9 0x00007fa9d86d0c56 in __dbc_iget () from /lib64/libdb-5.3.so >> >> #10 0x00007fa9d86dd843 in __db_get () from /lib64/libdb-5.3.so >> >> #11 0x00007fa9d86e1123 in __db_get_pp () from /lib64/libdb-5.3.so >> >> #12 0x00007fa9d248949b in id2entry () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #13 0x00007fa9d24af7dd in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #14 0x00007fa9dfc60190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #15 0x00007fa9dfc60342 in delete_internal_pb () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #16 0x00007fa9d1da4739 in mep_del_post_op () from >> /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so >> #17 0x00007fa9dfcac280 in plugin_call_func () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #18 0x00007fa9dfcac4d8 in plugin_call_plugins () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #19 0x00007fa9d24ae42e in ldbm_back_delete () from >> /usr/lib64/dirsrv/plugins/libback-ldbm.so >> #20 0x00007fa9dfc60190 in op_shared_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #21 0x00007fa9dfc60453 in do_delete () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #22 0x00007fa9e017a37e in connection_threadmain () >> #23 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #24 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #25 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 8 (Thread 0x7fa9aafe5700 (LWP 6174)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 7 (Thread 0x7fa9aa7e4700 (LWP 6175)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 6 (Thread 0x7fa9a9fe3700 (LWP 6176)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 5 (Thread 0x7fa9a97e2700 (LWP 6177)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e017865e in connection_wait_for_new_work () >> #3 0x00007fa9e017988d in connection_threadmain () >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 4 (Thread 0x7fa9a8fe1700 (LWP 6178)): >> #0 0x00007fa9dd7628f3 in select () from /lib64/libc.so.6 >> #1 0x00007fa9dfcdd459 in DS_Sleep () from >> /usr/lib64/dirsrv/libslapd.so.0 >> #2 0x00007fa9e017b2c5 in time_thread () >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 3 (Thread 0x7fa93bfff700 (LWP 6220)): >> #0 0x00007fa9dda41ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de096b07 in pt_TimedWait () from /lib64/libnspr4.so >> #2 0x00007fa9de096fce in PR_WaitCondVar () from /lib64/libnspr4.so >> #3 0x00007fa9d66d6374 in sync_send_results () from >> /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so >> #4 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #5 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #6 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 2 (Thread 0x7fa93b7fe700 (LWP 6514)): >> #0 0x00007fa9dda41705 in pthread_cond_wait@@GLIBC_2.3.2 >> () from >> /lib64/libpthread.so.0 >> #1 0x00007fa9de097050 in PR_WaitCondVar () from /lib64/libnspr4.so >> #2 0x00007fa9e0185c85 in ps_send_results () >> #3 0x00007fa9de09c7bb in _pt_root () from /lib64/libnspr4.so >> #4 0x00007fa9dda3ddf5 in start_thread () from /lib64/libpthread.so.0 >> #5 0x00007fa9dd76b1ad in clone () from /lib64/libc.so.6 >> Thread 1 (Thread 0x7fa9e0142840 (LWP 6134)): >> #0 0x00007fa9dd760b7d in poll () from /lib64/libc.so.6 >> #1 0x00007fa9de098967 in _pr_poll_with_poll () from >> /lib64/libnspr4.so >> #2 0x00007fa9e017df59 in slapd_daemon () >> #3 0x00007fa9e017117c in main () >> >> here is the db_stat: >> >> Default locking region information: >> 902 Last allocated locker ID >> 0x7fffffff Current maximum unused locker ID >> 9 Number of lock modes >> 200 Initial number of locks allocated >> 0 Initial number of lockers allocated >> 200 Initial number of lock objects allocated >> 10000 Maximum number of locks possible >> 10000 Maximum number of lockers possible >> 10000 Maximum number of lock objects possible >> 390 Current number of locks allocated >> 188 Current number of lockers allocated >> 250 Current number of lock objects allocated >> 40 Number of lock object partitions >> 8191 Size of object hash table >> 314 Number of current locks >> 338 Maximum number of locks at any one time >> 4 Maximum number of locks in any one bucket >> 457 Maximum number of locks stolen by for an empty partition >> 23 Maximum number of locks stolen for any one partition >> 160 Number of current lockers >> 162 Maximum number of lockers at any one time >> 216 Number of current lock objects >> 224 Maximum number of lock objects at any one time >> 2 Maximum number of lock objects in any one bucket >> 68 Maximum number of objects stolen by for an empty partition >> 7 Maximum number of objects stolen for any one partition >> 1547826 Total number of locks requested >> 1546707 Total number of locks released >> 0 Total number of locks upgraded >> 74 Total number of locks downgraded >> 38 Lock requests not available due to conflicts, for which >> we waited >> 54 Lock requests not available due to conflicts, for which >> we did not wait >> 0 Number of deadlocks >> 0 Lock timeout value >> 0 Number of locks that have timed out >> 0 Transaction timeout value >> 0 Number of transactions that have timed out >> 2MB 304KB Region size >> 14 The number of partition locks that required waiting (0%) >> 9 The maximum number of times any partition lock was waited >> for (0%) >> 0 The number of object queue operations that required >> waiting (0%) >> 1 The number of locker allocations that required waiting (0%) >> 2 The number of region locks that required waiting (0%) >> 3 Maximum hash bucket length >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Lock REGINFO information: >> Environment Region type >> 1 Region ID >> /var/lib/dirsrv/slapd-/db/__db.001 Region name >> 0x7fdb35b3d000 Region address >> 0x7fdb35b3d0a0 Region allocation head >> 0x7fdb35b452b0 Region primary address >> 0 Region maximum allocation >> 0 Region allocated >> Region allocations: 31186 allocations, 0 failures, 30915 frees, 3 >> longest >> Allocations by power-of-two sizes: >> 1KB 31169 >> 2KB 3 >> 4KB 6 >> 8KB 5 >> 16KB 0 >> 32KB 1 >> 64KB 0 >> 128KB 0 >> 256KB 2 >> 512KB 0 >> 1024KB 1 >> REGION_SHARED Region flags >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Lock region parameters: >> 2 Lock region region mutex [2/487136 0% !Own] >> 16381 locker table size >> 8191 object table size >> 34128 obj_off >> 889656 locker_off >> 0 need_dd >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Lock conflict matrix: >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Locks grouped by lockers: >> Locker Mode Count Status ----------------- Object >> --------------- >> 2 dd=158 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 2 READ 1 HELD userRoot/id2entry.db >> handle 0 >> 3 dd=157 locks held 0 write locks 0 pid/thread >> 6134/140366854457088 flags 0 priority 100 >> 4 dd=156 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 4 READ 1 HELD ipaca/id2entry.db >> handle 0 >> 5 dd=155 locks held 0 write locks 0 pid/thread >> 6134/140366787315456 flags 0 priority 100 >> 6 dd=154 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 6 READ 1 HELD ipaca/entryrdn.db >> handle 0 >> 7 dd=153 locks held 0 write locks 0 pid/thread >> 6134/140366795708160 flags 0 priority 100 >> 8 dd=152 locks held 0 write locks 0 pid/thread >> 6134/140366812493568 flags 0 priority 100 >> 9 dd=151 locks held 0 write locks 0 pid/thread >> 6134/140366694995712 flags 0 priority 100 >> a dd=150 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db >> handle 0 >> c dd=149 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> c READ 1 HELD >> ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 >> d dd=148 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> d READ 1 HELD >> ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 >> e dd=147 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> e READ 1 HELD >> ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 >> 15 dd=146 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 15 READ 1 HELD >> ipaca/vlv#allvalidcertspkitomcatindex.db handle 0 >> 16 dd=145 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 16 READ 1 HELD >> ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 >> 17 dd=144 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 17 READ 1 HELD >> ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 >> 18 dd=143 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db >> handle 0 >> 1d dd=142 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 1d READ 1 HELD >> ipaca/vlv#cacompletepkitomcatindex.db handle 0 >> 1e dd=141 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 1e READ 1 HELD >> ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 >> 21 dd=140 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 21 READ 1 HELD >> ipaca/vlv#caenrollmentpkitomcatindex.db handle 0 >> 22 dd=139 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 22 READ 1 HELD >> ipaca/vlv#capendingpkitomcatindex.db handle 0 >> 23 dd=138 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 23 READ 1 HELD >> ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 >> 2c dd=137 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 2c READ 1 HELD changelog/id2entry.db >> handle 0 >> 2d dd=136 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 2e dd=135 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 2e READ 1 HELD changelog/entryusn.db >> handle 0 >> 2f dd=134 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 30 dd=133 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 30 READ 1 HELD userRoot/entryusn.db >> handle 0 >> 31 dd=132 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 32 dd=131 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 32 READ 1 HELD ipaca/entryusn.db >> handle 0 >> 33 dd=130 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 34 dd=129 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 34 READ 1 HELD userRoot/entryrdn.db >> handle 0 >> 35 dd=128 locks held 0 write locks 0 pid/thread >> 6134/140366745351936 flags 0 priority 100 >> 36 dd=127 locks held 0 write locks 0 pid/thread >> 6134/140366703388416 flags 0 priority 100 >> 36 READ 1 WAIT userRoot/id2entry.db >> page 2 >> 37 dd=126 locks held 0 write locks 0 pid/thread >> 6134/140366745351936 flags 0 priority 100 >> 38 dd=125 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 38 READ 1 HELD userRoot/objectclass.db >> handle 0 >> 39 dd=124 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 3a dd=123 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 3a READ 1 HELD userRoot/ancestorid.db >> handle 0 >> 3b dd=122 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 3c dd=121 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 3c READ 1 HELD changelog/entryrdn.db >> handle 0 >> 3d dd=120 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 3e dd=119 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 3f dd=118 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 40 dd=117 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 40 READ 1 HELD changelog/objectclass.db >> handle 0 >> 41 dd=116 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 42 dd=115 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 43 dd=114 locks held 0 write locks 0 pid/thread >> 6134/140366904813312 flags 0 priority 100 >> 43 READ 1 WAIT userRoot/objectclass.db >> page 2 >> 44 dd=113 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 44 READ 1 HELD ipaca/objectclass.db >> handle 0 >> 45 dd=112 locks held 0 write locks 0 pid/thread >> 6134/140366720173824 flags 0 priority 100 >> 46 dd=111 locks held 0 write locks 0 pid/thread >> 6134/140366778922752 flags 0 priority 100 >> 47 dd=110 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 47 READ 1 HELD changelog/aci.db >> handle 0 >> 48 dd=109 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 49 dd=108 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 49 READ 1 HELD userRoot/aci.db >> handle 0 >> 4a dd=107 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 4b dd=106 locks held 0 write locks 0 pid/thread >> 6134/140366720173824 flags 0 priority 100 >> 4c dd=105 locks held 0 write locks 0 pid/thread >> 6134/140366904813312 flags 0 priority 100 >> 4d dd=104 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 4d READ 1 HELD ipaca/aci.db >> handle 0 >> 4e dd=103 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 4f dd=102 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 4f READ 1 HELD userRoot/parentid.db >> handle 0 >> 50 dd=101 locks held 0 write locks 0 pid/thread >> 6134/140367585617984 flags 0 priority 100 >> 51 dd=100 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 52 dd=99 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 52 READ 1 HELD changelog/nsuniqueid.db >> handle 0 >> 53 dd=98 locks held 1 write locks 0 pid/thread >> 6134/140367585617984 flags 10 priority 100 >> 53 READ 1 HELD changelog/changenumber.db >> handle 0 >> 54 dd=97 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 55 dd=96 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 56 dd=95 locks held 1 write locks 0 pid/thread >> 6134/140367584454400 flags 10 priority 100 >> 56 READ 1 HELD changelog/targetuniqueid.db >> handle 0 >> 57 dd=94 locks held 1 write locks 0 pid/thread >> 6134/140367584454400 flags 10 priority 100 >> 57 READ 1 HELD changelog/parentid.db >> handle 0 >> 58 dd=93 locks held 1 write locks 0 pid/thread >> 6134/140367584454400 flags 10 priority 100 >> 58 READ 1 HELD changelog/ancestorid.db >> handle 0 >> 59 dd=92 locks held 1 write locks 0 pid/thread >> 6134/140367584454400 flags 10 priority 100 >> 59 READ 1 HELD changelog/numsubordinates.db >> handle 0 >> 5a dd=91 locks held 0 write locks 0 pid/thread >> 6134/140367584454400 flags 0 priority 100 >> 5b dd=90 locks held 0 write locks 0 pid/thread >> 6134/140366820886272 flags 0 priority 100 >> 5c dd=89 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 5d dd=88 locks held 1 write locks 0 pid/thread >> 6134/140366812493568 flags 10 priority 100 >> 5d READ 1 HELD userRoot/krbPrincipalName.db >> handle 0 >> 5e dd=87 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 5f dd=86 locks held 0 write locks 0 pid/thread >> 6134/140366854457088 flags 0 priority 100 >> 60 dd=85 locks held 0 write locks 0 pid/thread >> 6134/140366804100864 flags 0 priority 100 >> 61 dd=84 locks held 1 write locks 0 pid/thread >> 6134/140366694995712 flags 10 priority 100 >> 61 READ 1 HELD userRoot/ipakrbprincipalalias.db >> handle 0 >> 62 dd=83 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 63 dd=82 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 64 dd=81 locks held 1 write locks 0 pid/thread >> 6134/140366762137344 flags 10 priority 100 >> 64 READ 1 HELD changelog/seeAlso.db >> handle 0 >> 65 dd=80 locks held 0 write locks 0 pid/thread >> 6134/140366820886272 flags 0 priority 100 >> 66 dd=79 locks held 1 write locks 0 pid/thread >> 6134/140366762137344 flags 10 priority 100 >> 66 READ 1 HELD userRoot/seeAlso.db >> handle 0 >> 67 dd=78 locks held 0 write locks 0 pid/thread >> 6134/140366820886272 flags 0 priority 100 >> 68 dd=77 locks held 1 write locks 0 pid/thread >> 6134/140366762137344 flags 10 priority 100 >> 68 READ 1 HELD ipaca/seeAlso.db >> handle 0 >> 69 dd=76 locks held 0 write locks 0 pid/thread >> 6134/140366820886272 flags 0 priority 100 >> 6a dd=75 locks held 0 write locks 0 pid/thread >> 6134/140366795708160 flags 0 priority 100 >> 6b dd=74 locks held 0 write locks 0 pid/thread >> 6134/140366795708160 flags 0 priority 100 >> 6c dd=73 locks held 0 write locks 0 pid/thread >> 6134/140366795708160 flags 0 priority 100 >> 6d dd=72 locks held 0 write locks 0 pid/thread >> 6134/140366778922752 flags 0 priority 100 >> 6e dd=71 locks held 0 write locks 0 pid/thread >> 6134/140366778922752 flags 0 priority 100 >> 6f dd=70 locks held 0 write locks 0 pid/thread >> 6134/140366720173824 flags 0 priority 100 >> 70 dd=69 locks held 0 write locks 0 pid/thread >> 6134/140366778922752 flags 0 priority 100 >> 71 dd=68 locks held 1 write locks 0 pid/thread >> 6134/140366669817600 flags 10 priority 100 >> 71 READ 1 HELD ipaca/certstatus.db >> handle 0 >> 72 dd=67 locks held 0 write locks 0 pid/thread >> 6134/140366778922752 flags 0 priority 100 >> 73 dd=66 locks held 0 write locks 0 pid/thread >> 6134/140366871242496 flags 0 priority 100 >> 74 dd=65 locks held 0 write locks 0 pid/thread >> 6134/140366871242496 flags 0 priority 100 >> 75 dd=64 locks held 1 write locks 0 pid/thread >> 6134/140366812493568 flags 10 priority 100 >> 75 READ 1 HELD ipaca/cn.db >> handle 0 >> 76 dd=63 locks held 0 write locks 0 pid/thread >> 6134/140366812493568 flags 0 priority 100 >> 77 dd=62 locks held 1 write locks 0 pid/thread >> 6134/140366745351936 flags 10 priority 100 >> 77 READ 1 HELD ipaca/requeststate.db >> handle 0 >> 78 dd=61 locks held 0 write locks 0 pid/thread >> 6134/140366745351936 flags 0 priority 100 >> 79 dd=60 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 79 READ 1 HELD userRoot/gidnumber.db >> handle 0 >> 7a dd=59 locks held 0 write locks 0 pid/thread >> 6134/140366812493568 flags 0 priority 100 >> 7b dd=58 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 7b READ 1 HELD userRoot/uidnumber.db >> handle 0 >> 7c dd=57 locks held 0 write locks 0 pid/thread >> 6134/140366795708160 flags 0 priority 100 >> 7d dd=56 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 7d READ 1 HELD userRoot/nsuniqueid.db >> handle 0 >> 7e dd=55 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 7e READ 1 HELD userRoot/numsubordinates.db >> handle 0 >> 7f dd=54 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 7f READ 1 HELD userRoot/member.db >> handle 0 >> 80 dd=53 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 80 READ 1 HELD userRoot/uniquemember.db >> handle 0 >> 81 dd=52 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 81 READ 1 HELD userRoot/owner.db >> handle 0 >> 82 dd=51 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 82 READ 1 HELD userRoot/manager.db >> handle 0 >> 83 dd=50 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 83 READ 1 HELD userRoot/secretary.db >> handle 0 >> 84 dd=49 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 84 READ 1 HELD userRoot/memberUser.db >> handle 0 >> 85 dd=48 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 85 READ 1 HELD userRoot/memberHost.db >> handle 0 >> 86 dd=47 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 86 READ 1 HELD userRoot/sourcehost.db >> handle 0 >> 87 dd=46 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 87 READ 1 HELD userRoot/memberservice.db >> handle 0 >> 88 dd=45 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 88 READ 1 HELD userRoot/managedby.db >> handle 0 >> 89 dd=44 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 89 READ 1 HELD userRoot/memberallowcmd.db >> handle 0 >> 8a dd=43 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 8a READ 1 HELD userRoot/memberdenycmd.db >> handle 0 >> 8b dd=42 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 8b READ 1 HELD userRoot/ipasudorunas.db >> handle 0 >> 8c dd=41 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 8c READ 1 HELD userRoot/ipasudorunasgroup.db >> handle 0 >> 8d dd=40 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 8d READ 1 HELD >> userRoot/ipatokenradiusconfiglink.db handle 0 >> 8e dd=39 locks held 1 write locks 0 pid/thread >> 6134/140367131285248 flags 10 priority 100 >> 8e READ 1 HELD userRoot/ipaassignedidview.db >> handle 0 >> 8f dd=38 locks held 0 write locks 0 pid/thread >> 6134/140366720173824 flags 0 priority 100 >> 90 dd=37 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 91 dd=36 locks held 1 write locks 0 pid/thread >> 6134/140366736959232 flags 10 priority 100 >> 91 READ 1 HELD userRoot/uid.db >> handle 0 >> 92 dd=35 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 94 dd=34 locks held 0 write locks 0 pid/thread >> 6134/140366720173824 flags 0 priority 100 >> 95 dd=33 locks held 0 write locks 0 pid/thread >> 6134/140366711781120 flags 0 priority 100 >> 97 dd=32 locks held 1 write locks 0 pid/thread >> 6134/140366711781120 flags 10 priority 100 >> 97 READ 1 HELD userRoot/memberuid.db >> handle 0 >> 98 dd=31 locks held 0 write locks 0 pid/thread >> 6134/140366862849792 flags 0 priority 100 >> 99 dd=30 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 9a dd=29 locks held 1 write locks 0 pid/thread >> 6134/140366728566528 flags 10 priority 100 >> 9a READ 1 HELD userRoot/cn.db >> handle 0 >> 9b dd=28 locks held 0 write locks 0 pid/thread >> 6134/140366846064384 flags 0 priority 100 >> 9c dd=27 locks held 0 write locks 0 pid/thread >> 6134/140366862849792 flags 0 priority 100 >> 9d dd=26 locks held 0 write locks 0 pid/thread >> 6134/140366787315456 flags 0 priority 100 >> 9f dd=25 locks held 0 write locks 0 pid/thread >> 6134/140366678210304 flags 0 priority 100 >> a0 dd=24 locks held 0 write locks 0 pid/thread >> 6134/140366669817600 flags 0 priority 100 >> a1 dd=23 locks held 0 write locks 0 pid/thread >> 6134/140366904813312 flags 0 priority 100 >> a2 dd=22 locks held 0 write locks 0 pid/thread >> 6134/140366862849792 flags 0 priority 100 >> a4 dd=21 locks held 0 write locks 0 pid/thread >> 6134/140366862849792 flags 0 priority 100 >> da dd=20 locks held 0 write locks 0 pid/thread >> 6134/140366745351936 flags 0 priority 100 >> db dd=19 locks held 0 write locks 0 pid/thread >> 6134/140366669817600 flags 0 priority 100 >> dc dd=18 locks held 0 write locks 0 pid/thread >> 6134/140366745351936 flags 0 priority 100 >> dd dd=17 locks held 0 write locks 0 pid/thread >> 6134/140366669817600 flags 0 priority 100 >> 26a dd=16 locks held 0 write locks 0 pid/thread >> 6134/140366913206016 flags 0 priority 100 >> 274 dd=15 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 275 dd=14 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 276 dd=13 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 277 dd=12 locks held 0 write locks 0 pid/thread >> 6134/140366896420608 flags 0 priority 100 >> 37c dd=11 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 37d dd=10 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 37e dd= 9 locks held 0 write locks 0 pid/thread >> 6134/140366736959232 flags 0 priority 100 >> 37f dd= 8 locks held 1 write locks 0 pid/thread >> 6134/140366854457088 flags 10 priority 100 >> 37f READ 1 HELD userRoot/memberOf.db >> handle 0 >> 380 dd= 7 locks held 0 write locks 0 pid/thread >> 6134/140366854457088 flags 0 priority 100 >> 381 dd= 5 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 381 READ 1 HELD userRoot/displayname.db >> handle 0 >> 382 dd= 4 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 382 READ 1 HELD userRoot/sn.db >> handle 0 >> 383 dd= 3 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 383 READ 1 HELD userRoot/mail.db >> handle 0 >> 384 dd= 2 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 384 READ 1 HELD userRoot/givenName.db >> handle 0 >> 385 dd= 1 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 385 READ 1 HELD userRoot/ipauniqueid.db >> handle 0 >> 386 dd= 0 locks held 1 write locks 0 pid/thread >> 6134/140366703388416 flags 10 priority 100 >> 386 READ 1 HELD userRoot/nscpEntryDN.db >> handle 0 >> 80003201 dd= 6 locks held 234 write locks 110 pid/thread >> 6134/140366703388416 flags 0 priority 100 >> 80003201 READ 1 HELD userRoot/ipaassignedidview.db >> page 1 >> 80003201 READ 1 HELD >> userRoot/ipatokenradiusconfiglink.db page 1 >> 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db >> page 1 >> 80003201 READ 1 HELD userRoot/ipasudorunas.db >> page 1 >> 80003201 READ 1 HELD userRoot/memberdenycmd.db >> page 1 >> 80003201 READ 1 HELD userRoot/memberallowcmd.db >> page 1 >> 80003201 READ 1 HELD userRoot/managedby.db >> page 4 >> 80003201 READ 1 HELD userRoot/memberservice.db >> page 1 >> 80003201 READ 1 HELD userRoot/sourcehost.db >> page 1 >> 80003201 READ 1 HELD userRoot/memberHost.db >> page 1 >> 80003201 READ 1 HELD userRoot/memberUser.db >> page 1 >> 80003201 READ 1 HELD userRoot/secretary.db >> page 1 >> 80003201 READ 1 HELD userRoot/manager.db >> page 1 >> 80003201 READ 1 HELD userRoot/seeAlso.db >> page 1 >> 80003201 READ 1 HELD userRoot/owner.db >> page 1 >> 80003201 READ 1 HELD userRoot/uniquemember.db >> page 1 >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 6 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 110 >> 80003201 READ 1 HELD userRoot/member.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 3 >> 80003201 READ 1 HELD userRoot/member.db >> page 59 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 59 >> 80003201 READ 1 HELD userRoot/memberOf.db >> page 4 >> 80003201 READ 3 HELD userRoot/member.db >> page 110 >> 80003201 READ 2 HELD changelog/nsuniqueid.db >> page 18 >> 80003201 READ 6 HELD changelog/entryrdn.db >> page 51 >> 80003201 READ 4 HELD changelog/entryrdn.db >> page 13 >> 80003201 WRITE 2 HELD changelog/id2entry.db >> page 661 >> 80003201 WRITE 6 HELD changelog/objectclass.db >> page 1 >> 80003201 WRITE 2 HELD changelog/targetuniqueid.db >> page 45 >> 80003201 WRITE 2 HELD changelog/changenumber.db >> page 2 >> 80003201 WRITE 2 HELD changelog/nsuniqueid.db >> page 18 >> 80003201 WRITE 2 HELD changelog/parentid.db >> page 1 >> 80003201 WRITE 2 HELD changelog/entryusn.db >> page 5 >> 80003201 WRITE 2 HELD changelog/ancestorid.db >> page 1 >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 13 >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 85 >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 63 >> 80003201 WRITE 2 HELD changelog/id2entry.db >> page 2 >> 80003201 WRITE 2 HELD changelog/numsubordinates.db >> page 1 >> 80003201 WRITE 1 HELD userRoot/numsubordinates.db >> page 1 >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 2 >> 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db >> page 1 >> 80003201 WRITE 1 HELD userRoot/objectclass.db >> page 17 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 68 >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 68 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 3 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 69 >> 80003201 WRITE 4 HELD userRoot/ancestorid.db >> page 3 >> 80003201 READ 2 HELD userRoot/ancestorid.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/ancestorid.db >> page 4 >> 80003201 READ 1 HELD userRoot/ancestorid.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/memberOf.db >> page 12 >> 80003201 READ 1 HELD userRoot/memberOf.db >> page 12 >> 80003201 WRITE 6 HELD userRoot/entryusn.db >> page 8 >> 80003201 READ 2 HELD userRoot/entryusn.db >> page 8 >> 80003201 WRITE 2 HELD userRoot/uidnumber.db >> page 4 >> 80003201 READ 1 HELD userRoot/uidnumber.db >> page 4 >> 80003201 WRITE 3 HELD userRoot/parentid.db >> page 1 >> 80003201 READ 1 HELD userRoot/parentid.db >> page 1 >> 80003201 WRITE 2 HELD userRoot/ipauniqueid.db >> page 5 >> 80003201 READ 1 HELD userRoot/ipauniqueid.db >> page 5 >> 80003201 WRITE 3 HELD userRoot/nsuniqueid.db >> page 2 >> 80003201 READ 1 HELD userRoot/nsuniqueid.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 21 >> 80003201 READ 1 HELD userRoot/uid.db >> page 21 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 12 >> 80003201 READ 1 HELD userRoot/uid.db >> page 12 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 16 >> 80003201 READ 1 HELD userRoot/uid.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 15 >> 80003201 READ 1 HELD userRoot/uid.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 4 >> 80003201 READ 1 HELD userRoot/uid.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 9 >> 80003201 READ 1 HELD userRoot/uid.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 19 >> 80003201 READ 1 HELD userRoot/uid.db >> page 19 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 27 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 27 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 3 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 22 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 22 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 11 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 11 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 17 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 17 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 15 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 16 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 25 >> 80003201 READ 1 HELD userRoot/givenName.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 11 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 11 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 9 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 10 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 10 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 2 >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 2 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 3 >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 3 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 8 >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 8 >> 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db >> page 15 >> 80003201 READ 3 HELD userRoot/krbPrincipalName.db >> page 15 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 6 >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 6 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 80 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 80 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 81 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 81 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 79 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 79 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 38 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 38 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 4 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 47 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 47 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 84 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 84 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 39 >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 39 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 42 >> 80003201 READ 1 HELD userRoot/mail.db >> page 42 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 12 >> 80003201 READ 1 HELD userRoot/mail.db >> page 12 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 2 >> 80003201 READ 1 HELD userRoot/mail.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 67 >> 80003201 READ 1 HELD userRoot/mail.db >> page 67 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 25 >> 80003201 READ 1 HELD userRoot/mail.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 41 >> 80003201 READ 1 HELD userRoot/mail.db >> page 41 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 35 >> 80003201 READ 1 HELD userRoot/mail.db >> page 35 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 74 >> 80003201 READ 1 HELD userRoot/mail.db >> page 74 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 40 >> 80003201 READ 1 HELD userRoot/mail.db >> page 40 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 9 >> 80003201 READ 1 HELD userRoot/mail.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 75 >> 80003201 READ 1 HELD userRoot/mail.db >> page 75 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 43 >> 80003201 READ 1 HELD userRoot/mail.db >> page 43 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 27 >> 80003201 READ 1 HELD userRoot/mail.db >> page 27 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 10 >> 80003201 READ 1 HELD userRoot/mail.db >> page 10 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 72 >> 80003201 READ 1 HELD userRoot/mail.db >> page 72 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 9 >> 80003201 READ 1 HELD userRoot/sn.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 3 >> 80003201 READ 1 HELD userRoot/sn.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 5 >> 80003201 READ 1 HELD userRoot/sn.db >> page 5 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 25 >> 80003201 READ 1 HELD userRoot/sn.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 6 >> 80003201 READ 1 HELD userRoot/sn.db >> page 6 >> 80003201 WRITE 4 HELD userRoot/sn.db >> page 29 >> 80003201 READ 2 HELD userRoot/sn.db >> page 29 >> 80003201 WRITE 2 HELD userRoot/gidnumber.db >> page 2 >> 80003201 READ 1 HELD userRoot/gidnumber.db >> page 2 >> 80003201 WRITE 26 HELD userRoot/displayname.db >> page 1 >> 80003201 READ 13 HELD userRoot/displayname.db >> page 1 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 16 >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 9 >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 15 >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 18 >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 18 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 2 >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 2 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 8 >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 8 >> 80003201 WRITE 6 HELD userRoot/objectclass.db >> page 19 >> 80003201 READ 21 HELD userRoot/objectclass.db >> page 19 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 3 >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 28 >> 80003201 READ 1 HELD userRoot/cn.db >> page 28 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 81 >> 80003201 READ 1 HELD userRoot/cn.db >> page 81 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 21 >> 80003201 READ 1 HELD userRoot/cn.db >> page 21 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 32 >> 80003201 READ 1 HELD userRoot/cn.db >> page 32 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 2 >> 80003201 READ 1 HELD userRoot/cn.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 4 >> 80003201 READ 1 HELD userRoot/cn.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 52 >> 80003201 READ 1 HELD userRoot/cn.db >> page 52 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 53 >> 80003201 READ 1 HELD userRoot/cn.db >> page 53 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 44 >> 80003201 READ 1 HELD userRoot/cn.db >> page 44 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 26 >> 80003201 READ 1 HELD userRoot/cn.db >> page 26 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 67 >> 80003201 READ 1 HELD userRoot/cn.db >> page 67 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 16 >> 80003201 READ 1 HELD userRoot/cn.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 15 >> 80003201 READ 1 HELD userRoot/cn.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 78 >> 80003201 READ 1 HELD userRoot/cn.db >> page 78 >> 80003201 WRITE 24 HELD userRoot/id2entry.db >> page 0 >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 1420 >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 3 >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 19 >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 8 >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 69 >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 4 >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 20 >> 80003201 READ 10 HELD userRoot/entryrdn.db >> page 3 >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 5 >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 23 >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 28 >> 80003201 READ 2 HELD userRoot/entryrdn.db >> page 9 >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 66 >> 80003201 READ 5 HELD userRoot/entryrdn.db >> page 6 >> 80003201 READ 5 HELD userRoot/entryrdn.db >> page 20 >> 80003201 READ 10 HELD userRoot/entryrdn.db >> page 40 >> 80003201 READ 14 HELD userRoot/entryrdn.db >> page 41 >> 80003231 dd=4294967295 locks held 4 write locks 0 >> pid/thread 6134/140366703388416 flags 0 priority 100 >> 80003231 READ 1 HELD userRoot/id2entry.db >> page 1420 >> 80003231 READ 2 HELD userRoot/entryrdn.db >> page 3 >> 80003231 READ 1 HELD userRoot/entryrdn.db >> page 40 >> 80003231 READ 1 HELD userRoot/entryrdn.db >> page 41 >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Locks grouped by object: >> Locker Mode Count Status ----------------- Object >> --------------- >> 49 READ 1 HELD userRoot/aci.db >> handle 0 >> >> 61 READ 1 HELD userRoot/ipakrbprincipalalias.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/seeAlso.db >> page 1 >> >> 66 READ 1 HELD userRoot/seeAlso.db >> handle 0 >> >> 75 READ 1 HELD ipaca/cn.db >> handle 0 >> >> 1d READ 1 HELD >> ipaca/vlv#cacompletepkitomcatindex.db handle 0 >> >> 89 READ 1 HELD userRoot/memberallowcmd.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/memberallowcmd.db >> page 1 >> >> 82 READ 1 HELD userRoot/manager.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/manager.db >> page 1 >> >> 56 READ 1 HELD changelog/targetuniqueid.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/targetuniqueid.db >> page 45 >> >> 21 READ 1 HELD >> ipaca/vlv#caenrollmentpkitomcatindex.db handle 0 >> >> 83 READ 1 HELD userRoot/secretary.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/secretary.db >> page 1 >> >> 7b READ 1 HELD userRoot/uidnumber.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/uidnumber.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/uidnumber.db >> page 4 >> >> 386 READ 1 HELD userRoot/nscpEntryDN.db >> handle 0 >> >> 80003201 WRITE 1 HELD userRoot/nscpEntryDN.db >> page 1 >> >> 58 READ 1 HELD changelog/ancestorid.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/ancestorid.db >> page 1 >> >> 6 READ 1 HELD ipaca/entryrdn.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 67 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 67 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 78 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 78 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 81 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 81 >> >> 381 READ 1 HELD userRoot/displayname.db >> handle 0 >> >> 80003201 READ 13 HELD userRoot/displayname.db >> page 1 >> 80003201 WRITE 26 HELD userRoot/displayname.db >> page 1 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 32 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 32 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 44 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 44 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 52 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 52 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 53 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 53 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 4 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 2 >> >> 9a READ 1 HELD userRoot/cn.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 15 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 21 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 21 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 16 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 28 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 28 >> >> 80003201 READ 1 HELD userRoot/cn.db >> page 26 >> 80003201 WRITE 2 HELD userRoot/cn.db >> page 26 >> >> 4d READ 1 HELD ipaca/aci.db >> handle 0 >> >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 69 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 69 >> >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 68 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 68 >> >> 80003201 READ 14 HELD userRoot/entryrdn.db >> page 41 >> 80003231 READ 1 HELD userRoot/entryrdn.db >> page 41 >> >> 80003201 READ 10 HELD userRoot/entryrdn.db >> page 40 >> 80003231 READ 1 HELD userRoot/entryrdn.db >> page 40 >> >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 4 >> >> 80003201 READ 5 HELD userRoot/entryrdn.db >> page 6 >> >> 34 READ 1 HELD userRoot/entryrdn.db >> handle 0 >> >> 80003201 READ 10 HELD userRoot/entryrdn.db >> page 3 >> 80003201 WRITE 3 HELD userRoot/entryrdn.db >> page 3 >> 80003231 READ 2 HELD userRoot/entryrdn.db >> page 3 >> >> 80003201 READ 2 HELD userRoot/entryrdn.db >> page 9 >> >> 80003201 READ 5 HELD userRoot/entryrdn.db >> page 20 >> >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 23 >> >> 80003201 READ 1 HELD userRoot/entryrdn.db >> page 19 >> >> 80003201 READ 3 HELD userRoot/entryrdn.db >> page 28 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 3 >> >> 384 READ 1 HELD userRoot/givenName.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 11 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 11 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 15 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 17 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 17 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 16 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 22 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 22 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 27 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 27 >> >> 80003201 READ 1 HELD userRoot/givenName.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/givenName.db >> page 25 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 47 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 47 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 39 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 39 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 38 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 38 >> >> 23 READ 1 HELD >> ipaca/vlv#capendingenrollmentpkitomcatindex.db handle 0 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 9 >> >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 8 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 8 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 11 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 11 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 10 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 10 >> >> 80003201 READ 3 HELD userRoot/krbPrincipalName.db >> page 15 >> 80003201 WRITE 6 HELD userRoot/krbPrincipalName.db >> page 15 >> >> 5d READ 1 HELD userRoot/krbPrincipalName.db >> handle 0 >> >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 3 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 3 >> >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 2 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 2 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 4 >> >> 80003201 READ 2 HELD userRoot/krbPrincipalName.db >> page 6 >> 80003201 WRITE 4 HELD userRoot/krbPrincipalName.db >> page 6 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 79 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 79 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 81 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 81 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 80 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 80 >> >> 80003201 READ 1 HELD userRoot/krbPrincipalName.db >> page 84 >> 80003201 WRITE 2 HELD userRoot/krbPrincipalName.db >> page 84 >> >> 2c READ 1 HELD changelog/id2entry.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/id2entry.db >> page 2 >> >> a READ 1 HELD ipaca/vlv#allcertspkitomcatindex.db >> handle 0 >> >> 44 READ 1 HELD ipaca/objectclass.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/gidnumber.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/gidnumber.db >> page 2 >> >> 79 READ 1 HELD userRoot/gidnumber.db >> handle 0 >> >> 77 READ 1 HELD ipaca/requeststate.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/id2entry.db >> page 661 >> >> 385 READ 1 HELD userRoot/ipauniqueid.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/ipauniqueid.db >> page 5 >> 80003201 WRITE 2 HELD userRoot/ipauniqueid.db >> page 5 >> >> c READ 1 HELD >> ipaca/vlv#allinvalidcertspkitomcatindex.db handle 0 >> >> 16 READ 1 HELD >> ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db handle 0 >> >> 80003201 WRITE 2 HELD changelog/entryusn.db >> page 5 >> >> 2e READ 1 HELD changelog/entryusn.db >> handle 0 >> >> 80003201 READ 2 HELD userRoot/sn.db >> page 29 >> 80003201 WRITE 4 HELD userRoot/sn.db >> page 29 >> >> 80003201 READ 1 HELD userRoot/sn.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 25 >> >> 80003201 READ 1 HELD userRoot/sn.db >> page 6 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 6 >> >> 80003201 READ 1 HELD userRoot/sn.db >> page 5 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 5 >> >> 80003201 READ 1 HELD userRoot/sn.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 3 >> >> 382 READ 1 HELD userRoot/sn.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/sn.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/sn.db >> page 9 >> >> 4 READ 1 HELD ipaca/id2entry.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/owner.db >> page 1 >> >> 81 READ 1 HELD userRoot/owner.db >> handle 0 >> >> 7d READ 1 HELD userRoot/nsuniqueid.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/nsuniqueid.db >> page 2 >> 80003201 WRITE 3 HELD userRoot/nsuniqueid.db >> page 2 >> >> 32 READ 1 HELD ipaca/entryusn.db >> handle 0 >> >> 91 READ 1 HELD userRoot/uid.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 4 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 9 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 15 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 12 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 12 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 19 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 19 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 16 >> >> 52 READ 1 HELD changelog/nsuniqueid.db >> handle 0 >> >> 7e READ 1 HELD userRoot/numsubordinates.db >> handle 0 >> >> 80003201 WRITE 1 HELD userRoot/numsubordinates.db >> page 1 >> >> 80003201 READ 1 HELD userRoot/uid.db >> page 21 >> 80003201 WRITE 2 HELD userRoot/uid.db >> page 21 >> >> 80003201 READ 2 HELD changelog/nsuniqueid.db >> page 18 >> 80003201 WRITE 2 HELD changelog/nsuniqueid.db >> page 18 >> >> 80003201 READ 1 HELD userRoot/memberdenycmd.db >> page 1 >> >> 8a READ 1 HELD userRoot/memberdenycmd.db >> handle 0 >> >> 8c READ 1 HELD userRoot/ipasudorunasgroup.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/ipasudorunasgroup.db >> page 1 >> >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 66 >> >> 47 READ 1 HELD changelog/aci.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 20 >> >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 8 >> >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 6 >> >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 5 >> >> 80003201 READ 1 HELD userRoot/id2entry.db >> page 3 >> >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 2 >> 36 READ 1 WAIT userRoot/id2entry.db >> page 2 >> >> 80003201 WRITE 24 HELD userRoot/id2entry.db >> page 0 >> >> 2 READ 1 HELD userRoot/id2entry.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/memberUser.db >> page 1 >> >> 84 READ 1 HELD userRoot/memberUser.db >> handle 0 >> >> 80003201 WRITE 6 HELD changelog/objectclass.db >> page 1 >> >> 40 READ 1 HELD changelog/objectclass.db >> handle 0 >> >> 8b READ 1 HELD userRoot/ipasudorunas.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/ipasudorunas.db >> page 1 >> >> 15 READ 1 HELD >> ipaca/vlv#allvalidcertspkitomcatindex.db handle 0 >> >> 57 READ 1 HELD changelog/parentid.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/parentid.db >> page 1 >> >> 86 READ 1 HELD userRoot/sourcehost.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/sourcehost.db >> page 1 >> >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 85 >> >> 3c READ 1 HELD changelog/entryrdn.db >> handle 0 >> >> 80003201 READ 4 HELD changelog/entryrdn.db >> page 13 >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 13 >> >> 80003201 READ 1 HELD userRoot/ipaassignedidview.db >> page 1 >> >> 8e READ 1 HELD userRoot/ipaassignedidview.db >> handle 0 >> >> 80003201 WRITE 1 HELD userRoot/id2entry.db >> page 1420 >> 80003231 READ 1 HELD userRoot/id2entry.db >> page 1420 >> >> 80003201 READ 6 HELD changelog/entryrdn.db >> page 51 >> >> 80003201 READ 1 HELD userRoot/memberOf.db >> page 4 >> >> 80003201 WRITE 2 HELD changelog/entryrdn.db >> page 63 >> >> 37f READ 1 HELD userRoot/memberOf.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/memberOf.db >> page 12 >> 80003201 WRITE 2 HELD userRoot/memberOf.db >> page 12 >> >> 80003201 READ 1 HELD >> userRoot/ipatokenradiusconfiglink.db page 1 >> >> 8d READ 1 HELD >> userRoot/ipatokenradiusconfiglink.db handle 0 >> >> 80003201 READ 1 HELD userRoot/managedby.db >> page 4 >> >> 68 READ 1 HELD ipaca/seeAlso.db >> handle 0 >> >> 88 READ 1 HELD userRoot/managedby.db >> handle 0 >> >> 22 READ 1 HELD >> ipaca/vlv#capendingpkitomcatindex.db handle 0 >> >> 1e READ 1 HELD >> ipaca/vlv#cacompleteenrollmentpkitomcatindex.db handle 0 >> >> 85 READ 1 HELD userRoot/memberHost.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/memberHost.db >> page 1 >> >> 18 READ 1 HELD ipaca/vlv#caallpkitomcatindex.db >> handle 0 >> >> 97 READ 1 HELD userRoot/memberuid.db >> handle 0 >> >> 87 READ 1 HELD userRoot/memberservice.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/memberservice.db >> page 1 >> >> 80003201 READ 1 HELD userRoot/parentid.db >> page 1 >> 80003201 WRITE 3 HELD userRoot/parentid.db >> page 1 >> >> 4f READ 1 HELD userRoot/parentid.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/changenumber.db >> page 2 >> >> 53 READ 1 HELD changelog/changenumber.db >> handle 0 >> >> 64 READ 1 HELD changelog/seeAlso.db >> handle 0 >> >> 80003201 READ 2 HELD userRoot/entryusn.db >> page 8 >> 80003201 WRITE 6 HELD userRoot/entryusn.db >> page 8 >> >> 30 READ 1 HELD userRoot/entryusn.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/ancestorid.db >> page 4 >> 80003201 WRITE 2 HELD userRoot/ancestorid.db >> page 4 >> >> 3a READ 1 HELD userRoot/ancestorid.db >> handle 0 >> >> 80003201 READ 2 HELD userRoot/ancestorid.db >> page 3 >> 80003201 WRITE 4 HELD userRoot/ancestorid.db >> page 3 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 67 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 67 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 72 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 72 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 74 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 74 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 75 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 75 >> >> 383 READ 1 HELD userRoot/mail.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 2 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 2 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 12 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 12 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 9 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 10 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 10 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 25 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 25 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 27 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 27 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 35 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 35 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 40 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 40 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 41 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 41 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 42 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 42 >> >> 80003201 READ 1 HELD userRoot/mail.db >> page 43 >> 80003201 WRITE 2 HELD userRoot/mail.db >> page 43 >> >> d READ 1 HELD >> ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db handle 0 >> >> 80 READ 1 HELD userRoot/uniquemember.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/uniquemember.db >> page 1 >> >> 80003201 READ 1 HELD userRoot/member.db >> page 59 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 59 >> >> 80003201 READ 1 HELD userRoot/member.db >> page 3 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 3 >> >> 7f READ 1 HELD userRoot/member.db >> handle 0 >> >> 80003201 READ 3 HELD userRoot/member.db >> page 110 >> 80003201 WRITE 2 HELD userRoot/member.db >> page 110 >> >> 59 READ 1 HELD changelog/numsubordinates.db >> handle 0 >> >> 80003201 WRITE 2 HELD changelog/numsubordinates.db >> page 1 >> >> e READ 1 HELD >> ipaca/vlv#allnonrevokedcertspkitomcatindex.db handle 0 >> >> 71 READ 1 HELD ipaca/certstatus.db >> handle 0 >> >> 17 READ 1 HELD >> ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db handle 0 >> >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 8 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 8 >> >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 9 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 9 >> >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 15 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 15 >> >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 2 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 2 >> 43 READ 1 WAIT userRoot/objectclass.db >> page 2 >> >> 80003201 READ 2 HELD userRoot/objectclass.db >> page 3 >> 80003201 WRITE 4 HELD userRoot/objectclass.db >> page 3 >> >> 38 READ 1 HELD userRoot/objectclass.db >> handle 0 >> >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 18 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 18 >> >> 80003201 READ 21 HELD userRoot/objectclass.db >> page 19 >> 80003201 WRITE 6 HELD userRoot/objectclass.db >> page 19 >> >> 80003201 READ 1 HELD userRoot/objectclass.db >> page 16 >> 80003201 WRITE 2 HELD userRoot/objectclass.db >> page 16 >> >> 80003201 WRITE 1 HELD userRoot/objectclass.db >> page 17 >> >> >> On Tue, Sep 22, 2015 at 4:12 AM, thierry bordaz >> > wrote: >> >> Hi, >> >> >> If it hangs again, could you get a pstack of the slapd >> process >> And also dump the db info >> 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This >> would help to know which thread holds the lock that that >> blocks those operations ? >> >> thanks >> thierry >> >> >> On 09/18/2015 09:20 PM, HECTOR LOPEZ wrote: >>> >>> >>> Ludwig Krispenz, >>> >>> This is the output of gstack on ns-slapd (pstack on rhel), >>> also killing the ns-slapd proces gave this error "ipa: >>> ERROR: cannot connect to >>> 'ldapi://%2fvar%2frun%2fslapd-GSEIS-UCLA-EDU.socket': " >>> After that I could use ipactl restart and the command runs >>> successfully. Thank you for helping me. Again, here is the >>> pstack output of ns-slapd: >>> >>> >>> -sh-4.2$ sudo gstack 2197 >>> >>> Thread 45 (Thread 0x7f3ad8144700 (LWP 2651)): >>> >>> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >>> >>> #1 0x00007f3ae997d459 in DS_Sleep () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #2 0x00007f3adc11e4a7 in deadlock_threadmain () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 44 (Thread 0x7f3ad7943700 (LWP 2652)): >>> >>> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >>> >>> #1 0x00007f3ae997d459 in DS_Sleep () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #2 0x00007f3adc122576 in checkpoint_threadmain () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 43 (Thread 0x7f3ad7142700 (LWP 2653)): >>> >>> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >>> >>> #1 0x00007f3ae997d459 in DS_Sleep () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #2 0x00007f3adc11e71f in trickle_threadmain () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 42 (Thread 0x7f3ad6941700 (LWP 2654)): >>> >>> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >>> >>> #1 0x00007f3ae997d459 in DS_Sleep () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #2 0x00007f3adc119437 in perf_threadmain () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 41 (Thread 0x7f3ad6140700 (LWP 2655)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #3 0x00007f3ae058164e in cos_cache_wait_on_change () from >>> /usr/lib64/dirsrv/plugins/libcos-plugin.so >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 40 (Thread 0x7f3ad593f700 (LWP 2656)): >>> >>> #0 0x00007f3ae7400b7d in poll () from /lib64/libc.so.6 >>> >>> #1 0x00007f3addf0247c in ipa_cldap_worker () from >>> /usr/lib64/dirsrv/plugins/libipa_cldap.so >>> >>> #2 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #3 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 39 (Thread 0x7f3ad513e700 (LWP 2657)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >>> /usr/lib64/dirsrv/plugins/libroles-plugin.so >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 38 (Thread 0x7f3ad493d700 (LWP 2658)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >>> /usr/lib64/dirsrv/plugins/libroles-plugin.so >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 37 (Thread 0x7f3acffff700 (LWP 2659)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae996d438 in slapi_wait_condvar () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #3 0x00007f3ada7c0edd in roles_cache_wait_on_change () from >>> /usr/lib64/dirsrv/plugins/libroles-plugin.so >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 36 (Thread 0x7f3acf7fe700 (LWP 2660)): >>> >>> #0 0x00007f3ae76e1ab2 in >>> pthread_cond_timedwait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d36b07 in pt_TimedWait () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #3 0x00007f3ae9e21a93 in housecleaning () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 35 (Thread 0x7f3aceffd700 (LWP 2661)): >>> >>> #0 0x00007f3ae76e1ab2 in >>> pthread_cond_timedwait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d36b07 in pt_TimedWait () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #3 0x00007f3ae9914188 in eq_loop () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 34 (Thread 0x7f3ace55b700 (LWP 2663)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 33 (Thread 0x7f3acdd5a700 (LWP 2664)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 32 (Thread 0x7f3acd559700 (LWP 2665)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >>> /lib64/libdb-5.3.so >>> >>> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >>> /lib64/libdb-5.3.so >>> >>> #3 0x00007f3ae2357cea in __lock_get_internal () from >>> /lib64/libdb-5.3.so >>> >>> #4 0x00007f3ae23587d0 in __lock_get () from >>> /lib64/libdb-5.3.so >>> >>> #5 0x00007f3ae2384112 in __db_lget () from >>> /lib64/libdb-5.3.so >>> >>> #6 0x00007f3ae22cb5f5 in __bam_search () from >>> /lib64/libdb-5.3.so >>> >>> #7 0x00007f3ae22b6256 in __bamc_search () from >>> /lib64/libdb-5.3.so >>> >>> #8 0x00007f3ae22b7d0f in __bamc_get () from >>> /lib64/libdb-5.3.so >>> >>> #9 0x00007f3ae2370c56 in __dbc_iget () from >>> /lib64/libdb-5.3.so >>> >>> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >>> /lib64/libdb-5.3.so >>> >>> #11 0x00007f3adc12d180 in idl_new_fetch () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #13 0x00007f3adc125dd4 in keys2idl () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #15 0x00007f3adc126b22 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #16 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #17 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #18 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #19 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #20 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #21 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #22 0x00007f3adc161fdc in subtree_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #23 0x00007f3adc1635f7 in ldbm_back_search () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #24 0x00007f3ae993fd49 in op_shared_search () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #25 0x00007f3ae9e2b07e in do_search () >>> >>> #26 0x00007f3ae9e1a405 in connection_threadmain () >>> >>> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #28 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 31 (Thread 0x7f3accd58700 (LWP 2666)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >>> /lib64/libdb-5.3.so >>> >>> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >>> /lib64/libdb-5.3.so >>> >>> #3 0x00007f3ae2357cea in __lock_get_internal () from >>> /lib64/libdb-5.3.so >>> >>> #4 0x00007f3ae23587d0 in __lock_get () from >>> /lib64/libdb-5.3.so >>> >>> #5 0x00007f3ae2384112 in __db_lget () from >>> /lib64/libdb-5.3.so >>> >>> #6 0x00007f3ae22cb5f5 in __bam_search () from >>> /lib64/libdb-5.3.so >>> >>> #7 0x00007f3ae22b6256 in __bamc_search () from >>> /lib64/libdb-5.3.so >>> >>> #8 0x00007f3ae22b7d0f in __bamc_get () from >>> /lib64/libdb-5.3.so >>> >>> #9 0x00007f3ae2370c56 in __dbc_iget () from >>> /lib64/libdb-5.3.so >>> >>> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >>> /lib64/libdb-5.3.so >>> >>> #11 0x00007f3adc12d180 in idl_new_fetch () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #13 0x00007f3adc125dd4 in keys2idl () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #15 0x00007f3adc126b22 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #16 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #17 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #18 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #19 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #20 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #21 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #22 0x00007f3adc161fdc in subtree_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #23 0x00007f3adc1635f7 in ldbm_back_search () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #24 0x00007f3ae993fd49 in op_shared_search () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #25 0x00007f3ae9e2b07e in do_search () >>> >>> #26 0x00007f3ae9e1a405 in connection_threadmain () >>> >>> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #28 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 30 (Thread 0x7f3ac3fff700 (LWP 2667)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >>> /lib64/libdb-5.3.so >>> >>> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >>> /lib64/libdb-5.3.so >>> >>> #3 0x00007f3ae2357cea in __lock_get_internal () from >>> /lib64/libdb-5.3.so >>> >>> #4 0x00007f3ae23587d0 in __lock_get () from >>> /lib64/libdb-5.3.so >>> >>> #5 0x00007f3ae2384112 in __db_lget () from >>> /lib64/libdb-5.3.so >>> >>> #6 0x00007f3ae22cb5f5 in __bam_search () from >>> /lib64/libdb-5.3.so >>> >>> #7 0x00007f3ae22b6256 in __bamc_search () from >>> /lib64/libdb-5.3.so >>> >>> #8 0x00007f3ae22b7d0f in __bamc_get () from >>> /lib64/libdb-5.3.so >>> >>> #9 0x00007f3ae2370c56 in __dbc_iget () from >>> /lib64/libdb-5.3.so >>> >>> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >>> /lib64/libdb-5.3.so >>> >>> #11 0x00007f3adc12d180 in idl_new_fetch () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #13 0x00007f3adc125dd4 in keys2idl () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #15 0x00007f3adc126b22 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #16 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #17 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #18 0x00007f3adc161fdc in subtree_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #19 0x00007f3adc1635f7 in ldbm_back_search () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #20 0x00007f3ae993fd49 in op_shared_search () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #21 0x00007f3ae99501de in search_internal_callback_pb () >>> from /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #22 0x00007f3ae9950478 in search_internal_pb () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #23 0x00007f3ae9e291fb in ids_sasl_canon_user () >>> >>> #24 0x00007f3ae7afd93b in _sasl_canon_user () from >>> /lib64/libsasl2.so.3 >>> >>> #25 0x00007f3ae7afdc4c in _sasl_canon_user_lookup () from >>> /lib64/libsasl2.so.3 >>> >>> #26 0x00007f3ae1c226de in crammd5_server_mech_step2.isra.6 >>> () from /usr/lib64/sasl2/libcrammd5.so >>> >>> #27 0x00007f3ae1c22ad9 in crammd5_server_mech_step () from >>> /usr/lib64/sasl2/libcrammd5.so >>> >>> #28 0x00007f3ae7b09b88 in sasl_server_step () from >>> /lib64/libsasl2.so.3 >>> >>> #29 0x00007f3ae9e2a576 in ids_sasl_check_bind () >>> >>> #30 0x00007f3ae9e13b22 in do_bind () >>> >>> #31 0x00007f3ae9e1a43f in connection_threadmain () >>> >>> #32 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #33 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #34 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 29 (Thread 0x7f3ac37fe700 (LWP 2668)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >>> /lib64/libdb-5.3.so >>> >>> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >>> /lib64/libdb-5.3.so >>> >>> #3 0x00007f3ae2357cea in __lock_get_internal () from >>> /lib64/libdb-5.3.so >>> >>> #4 0x00007f3ae23587d0 in __lock_get () from >>> /lib64/libdb-5.3.so >>> >>> #5 0x00007f3ae2384112 in __db_lget () from >>> /lib64/libdb-5.3.so >>> >>> #6 0x00007f3ae22cb5f5 in __bam_search () from >>> /lib64/libdb-5.3.so >>> >>> #7 0x00007f3ae22b6256 in __bamc_search () from >>> /lib64/libdb-5.3.so >>> >>> #8 0x00007f3ae22b7d0f in __bamc_get () from >>> /lib64/libdb-5.3.so >>> >>> #9 0x00007f3ae2370c56 in __dbc_iget () from >>> /lib64/libdb-5.3.so >>> >>> #10 0x00007f3ae237fad2 in __dbc_get_pp () from >>> /lib64/libdb-5.3.so >>> >>> #11 0x00007f3adc12d180 in idl_new_fetch () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #12 0x00007f3adc13b5e6 in index_read_ext_allids () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #13 0x00007f3adc125dd4 in keys2idl () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #14 0x00007f3adc126533 in ava_candidates.isra.0 () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #15 0x00007f3adc126b22 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #16 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #17 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #18 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #19 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #20 0x00007f3adc127b96 in list_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #21 0x00007f3adc126a90 in filter_candidates_ext () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #22 0x00007f3adc161fdc in subtree_candidates () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #23 0x00007f3adc1635f7 in ldbm_back_search () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #24 0x00007f3ae993fd49 in op_shared_search () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #25 0x00007f3ae9e2b07e in do_search () >>> >>> #26 0x00007f3ae9e1a405 in connection_threadmain () >>> >>> #27 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #28 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #29 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 28 (Thread 0x7f3ac2ffd700 (LWP 2669)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 27 (Thread 0x7f3ac27fc700 (LWP 2670)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 26 (Thread 0x7f3ac1ffb700 (LWP 2671)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 25 (Thread 0x7f3ac17fa700 (LWP 2672)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 24 (Thread 0x7f3ac0ff9700 (LWP 2673)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 23 (Thread 0x7f3abbfff700 (LWP 2674)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 22 (Thread 0x7f3abb7fe700 (LWP 2675)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 21 (Thread 0x7f3abaffd700 (LWP 2676)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 20 (Thread 0x7f3aba7fc700 (LWP 2677)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 19 (Thread 0x7f3ab9ffb700 (LWP 2678)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 18 (Thread 0x7f3ab97fa700 (LWP 2679)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 17 (Thread 0x7f3ab8ff9700 (LWP 2680)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 16 (Thread 0x7f3ab87f8700 (LWP 2681)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 15 (Thread 0x7f3ab7ff7700 (LWP 2682)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 14 (Thread 0x7f3ab77f6700 (LWP 2683)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 13 (Thread 0x7f3ab6ff5700 (LWP 2684)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 12 (Thread 0x7f3ab67f4700 (LWP 2685)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 11 (Thread 0x7f3ab5ff3700 (LWP 2686)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae22ae2f3 in __db_hybrid_mutex_suspend () from >>> /lib64/libdb-5.3.so >>> >>> #2 0x00007f3ae22ad640 in __db_tas_mutex_lock () from >>> /lib64/libdb-5.3.so >>> >>> #3 0x00007f3ae2357cea in __lock_get_internal () from >>> /lib64/libdb-5.3.so >>> >>> #4 0x00007f3ae23587d0 in __lock_get () from >>> /lib64/libdb-5.3.so >>> >>> #5 0x00007f3ae2384112 in __db_lget () from >>> /lib64/libdb-5.3.so >>> >>> #6 0x00007f3ae22cb5f5 in __bam_search () from >>> /lib64/libdb-5.3.so >>> >>> #7 0x00007f3ae22b6256 in __bamc_search () from >>> /lib64/libdb-5.3.so >>> >>> #8 0x00007f3ae22b7d0f in __bamc_get () from >>> /lib64/libdb-5.3.so >>> >>> #9 0x00007f3ae2370c56 in __dbc_iget () from >>> /lib64/libdb-5.3.so >>> >>> #10 0x00007f3ae237d843 in __db_get () from >>> /lib64/libdb-5.3.so >>> >>> #11 0x00007f3ae2381123 in __db_get_pp () from >>> /lib64/libdb-5.3.so >>> >>> #12 0x00007f3adc12949b in id2entry () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #13 0x00007f3adc14f7dd in ldbm_back_delete () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #14 0x00007f3ae9900190 in op_shared_delete () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #15 0x00007f3ae9900342 in delete_internal_pb () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #16 0x00007f3adba44739 in mep_del_post_op () from >>> /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so >>> >>> #17 0x00007f3ae994c280 in plugin_call_func () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #18 0x00007f3ae994c4d8 in plugin_call_plugins () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #19 0x00007f3adc14e42e in ldbm_back_delete () from >>> /usr/lib64/dirsrv/plugins/libback-ldbm.so >>> >>> #20 0x00007f3ae9900190 in op_shared_delete () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #21 0x00007f3ae9900453 in do_delete () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #22 0x00007f3ae9e1a37e in connection_threadmain () >>> >>> #23 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #24 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #25 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 10 (Thread 0x7f3ab57f2700 (LWP 2687)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 9 (Thread 0x7f3ab4ff1700 (LWP 2688)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 8 (Thread 0x7f3ab47f0700 (LWP 2689)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 7 (Thread 0x7f3ab3fef700 (LWP 2690)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 6 (Thread 0x7f3ab37ee700 (LWP 2691)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 5 (Thread 0x7f3ab2fed700 (LWP 2692)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e1865e in connection_wait_for_new_work () >>> >>> #3 0x00007f3ae9e1988d in connection_threadmain () >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 4 (Thread 0x7f3ab27ec700 (LWP 2693)): >>> >>> #0 0x00007f3ae74028f3 in select () from /lib64/libc.so.6 >>> >>> #1 0x00007f3ae997d459 in DS_Sleep () from >>> /usr/lib64/dirsrv/libslapd.so.0 >>> >>> #2 0x00007f3ae9e1b2c5 in time_thread () >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 3 (Thread 0x7f3ab1feb700 (LWP 2725)): >>> >>> #0 0x00007f3ae76e1ab2 in >>> pthread_cond_timedwait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d36b07 in pt_TimedWait () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae7d36fce in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #3 0x00007f3ae0376374 in sync_send_results () from >>> /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so >>> >>> #4 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #5 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #6 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 2 (Thread 0x7f3ab17ea700 (LWP 2967)): >>> >>> #0 0x00007f3ae76e1705 in pthread_cond_wait@@GLIBC_2.3.2 >>> () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae7d37050 in PR_WaitCondVar () from >>> /lib64/libnspr4.so >>> >>> #2 0x00007f3ae9e25c85 in ps_send_results () >>> >>> #3 0x00007f3ae7d3c7bb in _pt_root () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae76dddf5 in start_thread () from >>> /lib64/libpthread.so.0 >>> >>> #5 0x00007f3ae740b1ad in clone () from /lib64/libc.so.6 >>> >>> Thread 1 (Thread 0x7f3ae9de2840 (LWP 2197)): >>> >>> #0 0x00007f3ae76e3f7d in __lll_lock_wait () from >>> /lib64/libpthread.so.0 >>> >>> #1 0x00007f3ae76dfd68 in _L_lock_975 () from >>> /lib64/libpthread.so.0 >>> >>> #2 0x00007f3ae76dfd11 in pthread_mutex_lock () from >>> /lib64/libpthread.so.0 >>> >>> #3 0x00007f3ae7d36cb9 in PR_Lock () from /lib64/libnspr4.so >>> >>> #4 0x00007f3ae9e1def6 in slapd_daemon () >>> >>> #5 0x00007f3ae9e1117c in main () >>> >>> -sh-4.2$ >>> >>> >>> On Fri, Sep 18, 2015 at 12:52 AM, Ludwig Krispenz >>> > wrote: >>> >>> >>> On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote: >>>> This is rhel 7.1 with ipa version 4.1.0 >>>> >>>> user-show shows the user. However, if the user contains >>>> ipaNTSecurityIdentifier: attribute, user-del hangs with >>>> no response. >>>> >>>> Meanwhile, the KDC and 389ds stop working. The only way >>>> to recover functionality is to reboot the machine. >>>> ipactl restart does nothing. >>> If it hangs again, could you get a pstack of the slapd >>> process ? >>> If you then kill slapd, does ipactl restart work ? >>> >>>> >>>> In the ldap access log I see this when trying to delete >>>> user sclown: >>>> >>>> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT >>>> err=0 tag=101 nentries=0 etime=0 >>>> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL >>>> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org" >>>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD >>>> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" >>>> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT >>>> err=1 tag=103 nentries=0 etime=0 >>>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH >>>> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 >>>> filter="(objectClass=securityDomainSessionEntry)" >>>> attrs="cn" >>>> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT >>>> err=32 tag=101 nentries=0 etime=0 >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH >>>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>>> filter="(certStatus=INVALID)" attrs="objectClass >>>> serialno notBefore notAfter duration extension >>>> subjectName userCertificate version algorithmId >>>> signingAlgorithmId publicKeyData" >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV >>>> 200:0:20150914093009Z 1:0 (0) >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT >>>> err=0 tag=101 nentries=0 etime=0 >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH >>>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>>> filter="(certStatus=VALID)" attrs="objectClass serialno >>>> notBefore notAfter duration extension subjectName >>>> userCertificate version algorithmId signingAlgorithmId >>>> publicKeyData" >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV >>>> 200:0:20150914093009Z 1:10 (0) >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT >>>> err=0 tag=101 nentries=1 etime=0 >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH >>>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 >>>> filter="(certStatus=REVOKED)" attrs="objectClass >>>> revokedOn serialno revInfo notAfter notBefore duration >>>> extension subjectName userCertificate version >>>> algorithmId signingAlgorithmId publicKeyData" >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV >>>> 200:0:20150914093009Z 0:0 (0) >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT >>>> err=0 tag=101 nentries=0 etime=0 notes=U >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH >>>> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>> attrs="description" >>>> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT >>>> err=0 tag=101 nentries=1 etime=0 >>>> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND >>>> >>>> Then in the ldap error log I see this, which makes me >>>> think there is a problem with the changelog: >>>> >>>> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to >>>> get id for changenumber=91314,cn=changelog from >>>> entryrdn index (-30993) >>>> [14/Sep/2015:09:30:03 -0700] - Operation error fetching >>>> changenumber=91314,cn=changelog (null), error -30993. >>>> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: >>>> an error occured while adding change number 91314, dn = >>>> changenumber=91314,cn=changelog: Operations error. >>>> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - >>>> retrocl_postob: operation failure [1] >>>> >>>> After this both kdc and ldap stop responding. In the >>>> krb5kdc.log I see server errors after the user-del >>>> command is run. The only way to resume normal >>>> operations is to restart the whole machine. ipactl >>>> restart doesn't work. >>>> >>>> Any help would be highly appreciated! >>>> >>>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Fri Sep 25 09:48:27 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Fri, 25 Sep 2015 11:48:27 +0200 Subject: [Freeipa-users] sudo options/sss_cache In-Reply-To: <20150925080559.GH7272@hendrix.redhat.com> References: <20150925080559.GH7272@hendrix.redhat.com> Message-ID: <5605186B.3030303@redhat.com> On 09/25/2015 10:06 AM, Jakub Hrozek wrote: > On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: >> Hi >> >> I have 3 problems/questions with ipa and sudo... >> >> 1. How to make a GLOBAL sudo rule with all the options what I want to >> have? (e.g. !authenticate). I have tried to make a sudo rule for all users >> on all hosts whom all users but without command and it doesnt work... Do I >> need to set it for each rule separately? > > Pavel (CC) would know this better, in native sudo there is a global > entry but I keep forgetting what it is in IPA.. Hi, please, create a rule named "defaults". I see this question is returning frequently. I think it should be supported directly by user interface. > >> >> 2. How can I with sss_cache invalidate sudo rules? Do I need ever to kill >> all files inside /var/lib/sssd/db? I dont see an option in sss_cache for >> this :/ > > sss_cache can't do that because at the moment the sudo rule updates are > kinda complex. See man sssd-sudo for all the different refreshes. You > can either cycle sssd by sending it USR1 and then USR2 or tune the cache > refreshes. > >> >> 3. How long is the time where sssd invalidates the sudo rules and make a >> new look into ipa? Can I set this time? > > See above. > From jhrozek at redhat.com Fri Sep 25 11:12:48 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 25 Sep 2015 13:12:48 +0200 Subject: [Freeipa-users] sudo options/sss_cache In-Reply-To: <5605186B.3030303@redhat.com> References: <20150925080559.GH7272@hendrix.redhat.com> <5605186B.3030303@redhat.com> Message-ID: <20150925111248.GM7272@hendrix.redhat.com> On Fri, Sep 25, 2015 at 11:48:27AM +0200, Pavel B?ezina wrote: > On 09/25/2015 10:06 AM, Jakub Hrozek wrote: > >On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: > >>Hi > >> > >>I have 3 problems/questions with ipa and sudo... > >> > >>1. How to make a GLOBAL sudo rule with all the options what I want to > >>have? (e.g. !authenticate). I have tried to make a sudo rule for all users > >>on all hosts whom all users but without command and it doesnt work... Do I > >>need to set it for each rule separately? > > > >Pavel (CC) would know this better, in native sudo there is a global > >entry but I keep forgetting what it is in IPA.. > > Hi, please, create a rule named "defaults". > > I see this question is returning frequently. I think it should be supported > directly by user interface. +1 care to file a ticket? ..and a good candidate for the troubleshooting guide in the works :-) From andreas.ladanyi at kit.edu Fri Sep 25 12:36:31 2015 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 25 Sep 2015 14:36:31 +0200 Subject: [Freeipa-users] ipa-client-install error Message-ID: <56053FCF.5060204@kit.edu> Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Skip "MyFreeIPA Server" : cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; ................................... Validated servers: Failed to verify that "MyFreeIPA Server" is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) "MyFreeIPA Server" : Provided interactively) Installation failed. Rolling back changes. IPA client is not configured on this system. selinux on the ipa client and ipa server ist permissive, iptables is empty. It seems to be a problem with the SSL certificate of freeipa. About the client: rpm -qi ipa-client Name : ipa-client Version : 4.1.0 Release : 18.el7.centos.4 About the freeipa server: rpm -qi freeipa-server Name : freeipa-server Version : 4.1.4 Release : 1.fc21 regards, Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From npmccallum at redhat.com Fri Sep 25 13:15:41 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 25 Sep 2015 09:15:41 -0400 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: <20150925072219.GG2227@redhat.com> References: <1442926553.10697.70.camel@redhat.com> <20150925062909.GA2227@redhat.com> <20150925070955.GB4144@redhat.com> <20150925072219.GG2227@redhat.com> Message-ID: <1443186941.10697.133.camel@redhat.com> On Fri, 2015-09-25 at 09:22 +0200, Jan Pazdziora wrote: > On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: > > > > > > Well, we have separate daemon listening on the > > > /var/run/krb5kdc/DEFAULT.socket in the container which should > > > start > > > the ipa-otpd at .service when there's a connection made to it. But > > > somehow it does not seem to be happening even if I fix the > > > parsing of > > > /etc/ipa/default.conf that ipa-otpd at .service is doing. > > As I wrote earlier, ipa-otpd relies on socket activation feature of > > systemd -- systemd opens this socket and listens for incoming > > connections. Any incoming connection causes to start ipa-otpd > > daemon and > > connects its stdin/stdout to the socket's client. > > And in the container there is no systemd so I emulate it there by > just > running a separate daemon listening on that socket which will fork > that ipa-otpd daemon. Is it in the same container? Because ipa-otpd uses ldapi. > > > What is the simplest way to trigger the connection to > > > /var/run/krb5kdc/DEFAULT.socket, for debugging purposes? > > Use socat. Something like > > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink- > > early,fork EXEC:/usr/libexec/ipa-otpd > > I meant, how do I cause the IPA stack (KDC?) to make the connection > and communication with the ipa-otpd daemon? > > Also, does the Sync OTP Token operation invoke the ipa-otpd daemon > path (so if Duncan managed to sync the token, it worked for him at > least once) in any way or does it bypass it? > From nathan at nathanpeters.com Fri Sep 25 20:51:43 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 25 Sep 2015 13:51:43 -0700 Subject: [Freeipa-users] Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment Message-ID: Setup : FreeIPA server 4.1.2 on CentOS 7. FreeIPA client on CentOS 5.11 Client installed properly with the exception of the following error about updating A records (from ipaclient-install.log) 2015-09-25 12:24:23,195 DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone ipadomain.net. update delete msghub4.ipadomain.net. IN A send update add msghub4.ipadomain.net. 1200 IN A 10.21.5.215 send 2015-09-25 12:24:29,500 DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2015-09-25 12:24:29,500 DEBUG stdout= 2015-09-25 12:24:29,500 DEBUG stderr=mem.c:877: INSIST(ctx->stats[i].gets == 0U) failed. After I checked DNS though and confirmed that the A entry existed and it did. Also reverse entry was correct. Also, time on server is correct. Also, there are no strange entries in the hosts file. I know that CentOS 5.11 works with FreeIPA because I have another 5.11 machine with ssh and sudo both working using ipa/ldap. However, the big problem is that I cannot login with ipa users on this one machine. From the client : [root at msghub4 ipa]# kinit username Password for username at IPADOMAIN.NET: [root at msghub4 ipa]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: username at IPADOMAIN.NET Valid starting Expires Service principal 09/25/15 16:41:51 09/26/15 16:41:48 krbtgt/IPADOMAIN.NET at IPADOMAIN.NET Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached When I enable logging in the sssd I get the following in the krb5_child.log: (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] (7): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] (9): Not using FAST. (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (5): krb5_get_init_creds_opt_set_expire_callback not available. (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [get_and_save_tgt] (1): 721: [-1765328353][Decrypt integrity check failed] (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [tgt_req_child] (1): 980: [-1765328353][Decrypt integrity check failed] According to every google search I've done, "decrypt integrity check failed" means bad password. I know this is wrong because I can login to 200 other machines in this domain with password or kerberos and my password does not expire for 10 years. Here is my sssd.log : (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service ipadomain.net replied to ping (Fri Sep 25 16:46:30 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service nss replied to ping (Fri Sep 25 16:46:30 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service pam replied to ping (Fri Sep 25 16:46:39 2015) [sssd] [service_send_ping] (4): Pinging ipadomain.net (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:40 2015) [sssd] [service_send_ping] (4): Pinging nss (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:40 2015) [sssd] [service_send_ping] (4): Pinging pam (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service ipadomain.net replied to ping (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service nss replied to ping (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service pam replied to ping (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging ipadomain.net (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging nss (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging pam (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service ipadomain.net replied to ping (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service nss replied to ping (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service pam replied to ping (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging ipadomain.net (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging nss (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging pam (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service ipadomain.net replied to ping (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service nss replied to ping (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service pam replied to ping (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging ipadomain.net (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging nss (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging pam (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service ipadomain.net replied to ping (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service nss replied to ping (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service pam replied to ping Here is the contents of my sss_mydomain.net.log : (Fri Sep 25 16:47:49 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:48:19 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:48:20 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:20 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83C7600 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [be_get_account_info] (4): Got request for [4098][1][idnumber=756600344] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_connect_step] (9): reusing cached connection (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(gidNumber=756600344)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 121 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e06e0], ldap[0x83d0370] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] (9): OriginalDN: [cn=username,cn=groups,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e06e0], ldap[0x83d0370] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_get_groups_process] (6): Search for groups, returned 1 results. (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 0) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] (8): This is a posix group (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] (7): Adding original DN [cn=username,cn=groups,cn=accounts,dc=ipadomain,dc=net] to attributes of [username]. (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] (6): Storing info for group username (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83da130 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83da250 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83da130 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83da250 "ltdb_timeout" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83da130 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83e26e0 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83e2800 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83e26e0 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83e2800 "ltdb_timeout" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83e26e0 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_groups] (9): Group 0 processed! (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_grpmem] (7): No members for group [username] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_grpmem] (6): Storing members for group username (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83e2b00 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83e91d0 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83e2b00 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83e91d0 "ltdb_timeout" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83e2b00 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83cd9d0 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83cda80 (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83cd9d0 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83cda80 "ltdb_timeout" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83cd9d0 "ltdb_callback" (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_groups] (9): Group 0 members processed! (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 0) (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_done] (9): releasing operation connection (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[(nil)], ldap[0x83d0370] (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83C4D10 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [be_get_account_info] (4): Got request for [3][1][name=username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_connect_step] (9): reusing cached connection (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_send] (9): Retrieving info for initgroups call (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(uid=username)(objectclass=posixAccount))][cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [uid] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [uidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gecos] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [homeDirectory] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [loginShell] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [krbPrincipalName] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [memberOf] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowLastChange] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowMin] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowMax] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowWarning] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowInactive] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowExpire] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [shadowFlag] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [krbLastPwdChange] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [krbPasswordExpiration] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [pwdAttribute] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [authorizedService] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [accountExpires] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userAccountControl] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsAccountLock] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 122 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e0790], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] (9): OriginalDN: [uid=username,cn=users,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e0790], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_user] (9): Receiving info for the user (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 0) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_user] (9): Storing the user (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): Save user (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): Adding original DN [uid=username,cn=users,cn=accounts,dc=ipadomain,dc=net] to attributes of [username]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): Adding original memberOf attributes to [username]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): Adding user principal [username at ipadomain.net] to attributes of [username]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): Adding [krbLastPwdChange]=[20150525212313Z] to user attributes. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): Adding [krbPasswordExpiration]=[20250522212313Z] to user attributes. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (6): Storing info for user username (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ea220 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83ea340 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ea220 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83ea340 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ea220 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 2) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83fbd60 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83fbe80 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83fbd60 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83fbe80 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83fbd60 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 2) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [userPassword] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eab10 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eac30 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eab10 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eac30 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eab10 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [uniqueID] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x8405da0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x8405ec0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x8405da0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x8405ec0 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x8405da0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowLastChange] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x8405e40 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x8405f60 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x8405e40 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x8405f60 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x8405e40 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowMin] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ead50 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eae00 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ead50 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eae00 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ead50 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowMax] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eabd0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eacf0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eabd0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eacf0 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eabd0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowWarning] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eab10 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eac30 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eab10 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eac30 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eab10 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowInactive] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x8405f20 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x8406040 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x8405f20 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x8406040 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x8405f20 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowExpire] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ead80 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83f65b0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ead80 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83f65b0 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ead80 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [shadowFlag] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eaaa0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eab50 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eaaa0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eab50 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eaaa0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [pwdAttribute] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eacb0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83eadd0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eacb0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83eadd0 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eacb0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [authorizedService] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83f65e0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83f6700 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83f65e0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83f6700 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83f65e0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [adAccountExpires] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83f6650 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83f6770 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83f6650 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83f6770 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83f6650 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [adUserAccountControl] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83f6710 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83f6830 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83f6710 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83f6830 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83f6710 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] (8): Removing attribute [nsAccountLock] from [username] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83eacb0 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83f6830 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83eacb0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83f6830 "ltdb_timeout" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83eacb0 "ltdb_callback" (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb transaction (nesting: 3) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_user] (9): Commit change (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 0) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_user] (9): Process user's groups (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=developers,cn=groups,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 123 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee160], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee160], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=developers,cn=groups,cn=accounts,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=8933b03e-031f-11e5-aeb6-005056b71d17,cn=hbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 124 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group ipaUniqueID=8933b03e-031f-11e5-aeb6-005056b71d17,cn=hbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=5b317c38-04c9-11e5-b973-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 125 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group ipaUniqueID=5b317c38-04c9-11e5-b973-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=GR Read Only,cn=roles,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 126 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=GR Read Only,cn=roles,cn=accounts,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=deployment_engineer,cn=groups,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 127 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=deployment_engineer,cn=groups,cn=accounts,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 128 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] (9): OriginalDN: [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Replication Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 129 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Replication Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 130 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 131 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 132 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 133 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 134 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read DNA Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 135 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Read DNA Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 136 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 137 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 138 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 139 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Host Enrollment,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 140 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=Host Enrollment,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 141 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 142 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 143 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 144 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 145 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 146 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=DNS Administrator,cn=roles,cn=accounts,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 147 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=DNS Administrator,cn=roles,cn=accounts,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 148 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 149 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 150 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 151 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 152 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 153 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 154 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 155 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 156 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=33381f3e-0320-11e5-8c1b-005056b71d17,cn=hbac,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 157 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group ipaUniqueID=33381f3e-0320-11e5-8c1b-005056b71d17,cn=hbac,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=d79d0cfa-04b6-11e5-9f43-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net]. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [cn] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [member] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 158 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_search] (2): Search for group ipaUniqueID=d79d0cfa-04b6-11e5-9f43-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net, returned 0 results. Skipping (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 0) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ed490 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83ed5b0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ed490 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83ed5b0 "ltdb_timeout" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ed490 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sysdb_get_direct_parents] (8): searching sysdb with filter [(&(objectClass=group)(member=name=admins,cn=groups,cn=ipadomain.net,cn=sysdb))] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ed6d0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83ed780 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ed6d0 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83ed780 "ltdb_timeout" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ed6d0 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sysdb_get_direct_parents] (7): admins is a member of 0 sysdb groups (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_get_direct_parents] (9): Looking up direct parents for group [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_get_direct_parents] (9): The group [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net] has 0 direct parents (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_nested_get_membership_diff] (7): The group admins is a direct member of 0 LDAP groups (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_store_user_memberships] (7): The user username is a direct member of 0 LDAP groups (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sysdb_get_direct_parents] (8): searching sysdb with filter [(&(objectClass=group)(member=name=username,cn=users,cn=ipadomain.net,cn=sysdb))] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ed260 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83ed910 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ed260 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83ed910 "ltdb_timeout" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ed260 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sysdb_get_direct_parents] (7): username is a member of 0 sysdb groups (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_initgr_store_user_memberships] (8): Updating memberships for username (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 2) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 1) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb transaction (nesting: 0) (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_get_initgr_done] (9): Initgroups done (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_connect_step] (9): reusing cached connection (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_destroy] (9): releasing operation connection (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_done] (9): releasing operation connection (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: sh[0x83cf0d0], connected[1], ops[(nil)], ldap[0x83d0370] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83C4D10 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [pamHandler] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_pam_handler] (4): Got request with the following data (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): domain: ipadomain.net (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): user: username (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): service: sshd (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): tty: ssh (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): ruser: (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): rhost: 10.5.5.57 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): authtok type: 1 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): authtok size: 13 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): newauthtok type: 0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): newauthtok size: 0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): priv: 0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): cli_pid: 11198 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x83ccbb0 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x83cef20 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Running timer event 0x83ccbb0 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Destroying timer event 0x83cef20 "ltdb_timeout" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: Ending timer event 0x83ccbb0 "ltdb_callback" (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_auth_send] (4): No ccache file for user [username] found. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_auth_send] (9): Ccache_file is [not set] and is not active and TGT is not valid. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [fo_resolve_service_send] (4): Trying to resolve service 'IPA' (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_server_status] (7): Status of server 'dc1.ipadomain.net' is 'name resolved' (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_port_status] (7): Port status of port 389 for server 'dc1.ipadomain.net' is 'working' (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [resolve_srv_send] (6): The status of SRV lookup is resolved (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_server_status] (7): Status of server 'dc1.ipadomain.net' is 'name resolved' (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_resolve_server_done] (7): Saving the first resolved server (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_resolve_server_done] (4): Found address for server dc1.ipadomain.net: [10.21.0.99] TTL 1200 (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_find_ccache_step] (9): Recreating ccache file. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_handler_setup] (8): Setting up signal handler up for pid [11200] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_handler_setup] (8): Signal handler set up for pid [11200] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [write_pipe_handler] (6): All data has been sent! (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [read_pipe_handler] (6): EOF received, client finished (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_child_done] (9): child response [4][1][31]. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, ) [Success] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_pam_handler_callback] (4): Sending result [4][ipadomain.net] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_pam_handler_callback] (4): Sent result [4][ipadomain.net] (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_sig_handler] (7): Waiting for child [11200]. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_sig_handler] (4): child [11200] finished successfully. (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sss_child_handler] (8): waitpid failed [10]: No child processes (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): dbus conn: 83B4700 (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): Dispatching. (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] [sbus_message_handler] (9): Received SBUS method [ping] From nathan at nathanpeters.com Fri Sep 25 21:10:16 2015 From: nathan at nathanpeters.com (nathan at nathanpeters.com) Date: Fri, 25 Sep 2015 14:10:16 -0700 Subject: [Freeipa-users] Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment In-Reply-To: References: Message-ID: Issue was an AllowGroups directive in /etc/ssh/sshd_config that was blocking this. It was not a FreeIPA issue :) > Setup : FreeIPA server 4.1.2 on CentOS 7. > FreeIPA client on CentOS 5.11 > > Client installed properly with the exception of the following error about > updating A records (from ipaclient-install.log) > > 2015-09-25 12:24:23,195 DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > zone ipadomain.net. > update delete msghub4.ipadomain.net. IN A > send > update add msghub4.ipadomain.net. 1200 IN A 10.21.5.215 > send > 2015-09-25 12:24:29,500 DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2015-09-25 12:24:29,500 DEBUG stdout= > 2015-09-25 12:24:29,500 DEBUG stderr=mem.c:877: INSIST(ctx->stats[i].gets > == 0U) failed. > > After I checked DNS though and confirmed that the A entry existed and it > did. Also reverse entry was correct. Also, time on server is correct. > Also, there are no strange entries in the hosts file. > > I know that CentOS 5.11 works with FreeIPA because I have another 5.11 > machine with ssh and sudo both working using ipa/ldap. > > However, the big problem is that I cannot login with ipa users on this one > machine. From the client : > > [root at msghub4 ipa]# kinit username > Password for username at IPADOMAIN.NET: > [root at msghub4 ipa]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: username at IPADOMAIN.NET > > Valid starting Expires Service principal > 09/25/15 16:41:51 09/26/15 16:41:48 krbtgt/IPADOMAIN.NET at IPADOMAIN.NET > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > When I enable logging in the sssd I get the following in the > krb5_child.log: > > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] > (7): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] > (7): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [krb5_child_setup] > (9): Not using FAST. > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] > [sss_krb5_get_init_creds_opt_set_expire_callback] (5): > krb5_get_init_creds_opt_set_expire_callback not available. > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [get_and_save_tgt] > (1): 721: [-1765328353][Decrypt integrity check failed] > (Fri Sep 25 16:23:55 2015) [[sssd[krb5_child[11095]]]] [tgt_req_child] > (1): 980: [-1765328353][Decrypt integrity check failed] > > According to every google search I've done, "decrypt integrity check > failed" means bad password. I know this is wrong because I can login to > 200 other machines in this domain with password or kerberos and my > password does not expire for 10 years. > > Here is my sssd.log : > > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service ipadomain.net > replied to ping > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service nss replied to > ping > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 > (Fri Sep 25 16:46:30 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:30 2015) [sssd] [ping_check] (4): Service pam replied to > ping > (Fri Sep 25 16:46:39 2015) [sssd] [service_send_ping] (4): Pinging > ipadomain.net > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:40 2015) [sssd] [service_send_ping] (4): Pinging nss > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:40 2015) [sssd] [service_send_ping] (4): Pinging pam > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service ipadomain.net > replied to ping > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service nss replied to > ping > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 > (Fri Sep 25 16:46:40 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:40 2015) [sssd] [ping_check] (4): Service pam replied to > ping > (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging > ipadomain.net > (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 > (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging nss > (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:49 2015) [sssd] [service_send_ping] (4): Pinging pam > (Fri Sep 25 16:46:49 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service ipadomain.net > replied to ping > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service nss replied to > ping > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 > (Fri Sep 25 16:46:50 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:46:50 2015) [sssd] [ping_check] (4): Service pam replied to > ping > (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging > ipadomain.net > (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 > (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging nss > (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:46:59 2015) [sssd] [service_send_ping] (4): Pinging pam > (Fri Sep 25 16:46:59 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service ipadomain.net > replied to ping > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service nss replied to > ping > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 > (Fri Sep 25 16:47:00 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:00 2015) [sssd] [ping_check] (4): Service pam replied to > ping > (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging > ipadomain.net > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed66930 > (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging nss > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:47:10 2015) [sssd] [service_send_ping] (4): Pinging pam > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_add_timeout] (8): 0xed75e80 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed66930 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6A1B0 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service ipadomain.net > replied to ping > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed6dfb0 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6EE00 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service nss replied to > ping > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_remove_timeout] (8): 0xed75e80 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): dbus conn: ED6CD00 > (Fri Sep 25 16:47:10 2015) [sssd] [sbus_dispatch] (9): Dispatching. > (Fri Sep 25 16:47:10 2015) [sssd] [ping_check] (4): Service pam replied to > ping > > Here is the contents of my sss_mydomain.net.log : > > (Fri Sep 25 16:47:49 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:47:59 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:10 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:48:19 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:48:20 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:20 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:29 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83C7600 > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [getAccountInfo] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [be_get_account_info] > (4): Got request for [4098][1][idnumber=756600344] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_id_op_connect_step] (9): reusing cached connection > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(gidNumber=756600344)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 121 > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e06e0], ldap[0x83d0370] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] > (9): OriginalDN: [cn=username,cn=groups,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e06e0], ldap[0x83d0370] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] > [sdap_get_groups_process] (6): Search for groups, returned 1 results. > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] > (8): This is a posix group > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] > (7): Adding original DN > [cn=username,cn=groups,cn=accounts,dc=ipadomain,dc=net] to attributes of > [username]. > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_group] > (6): Storing info for group username > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83da130 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83da250 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83da130 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83da250 "ltdb_timeout" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83da130 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83e26e0 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83e2800 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83e26e0 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83e2800 "ltdb_timeout" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83e26e0 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_groups] > (9): Group 0 processed! > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_grpmem] > (7): No members for group [username] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_grpmem] > (6): Storing members for group username > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83e2b00 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83e91d0 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83e2b00 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83e91d0 "ltdb_timeout" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83e2b00 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83cd9d0 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83cda80 > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83cd9d0 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83cda80 "ltdb_timeout" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83cd9d0 "ltdb_callback" > > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_save_groups] > (9): Group 0 members processed! > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_done] > (9): releasing operation connection > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [acctinfo_callback] > (4): Request processed. Returned 0,0,Success > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[(nil)], ldap[0x83d0370] > (Fri Sep 25 16:48:35 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83C4D10 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [getAccountInfo] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [be_get_account_info] > (4): Got request for [3][1][name=username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_id_op_connect_step] (9): reusing cached connection > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_send] (9): Retrieving info for initgroups call > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(uid=username)(objectclass=posixAccount))][cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [uid] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [uidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gecos] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [homeDirectory] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [loginShell] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [krbPrincipalName] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [memberOf] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowLastChange] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowMin] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowMax] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowWarning] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowInactive] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowExpire] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [shadowFlag] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [krbLastPwdChange] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [krbPasswordExpiration] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [pwdAttribute] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [authorizedService] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [accountExpires] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userAccountControl] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsAccountLock] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 122 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e0790], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] > (9): OriginalDN: [uid=username,cn=users,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83e0790], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_user] (9): Receiving info for the user > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_user] (9): Storing the user > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): > Save user > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): > Adding original DN [uid=username,cn=users,cn=accounts,dc=ipadomain,dc=net] > to attributes of [username]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): > Adding original memberOf attributes to [username]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (7): > Adding user principal [username at ipadomain.net] to attributes of > [username]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): > Adding [krbLastPwdChange]=[20150525212313Z] to user attributes. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (9): > Adding [krbPasswordExpiration]=[20250522212313Z] to user attributes. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_save_user] (6): > Storing info for user username > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ea220 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83ea340 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ea220 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83ea340 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ea220 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83fbd60 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83fbe80 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83fbd60 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83fbe80 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83fbd60 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [userPassword] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eab10 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eac30 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eab10 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eac30 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eab10 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [uniqueID] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x8405da0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x8405ec0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x8405da0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x8405ec0 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x8405da0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowLastChange] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x8405e40 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x8405f60 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x8405e40 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x8405f60 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x8405e40 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowMin] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ead50 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eae00 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ead50 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eae00 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ead50 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowMax] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eabd0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eacf0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eabd0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eacf0 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eabd0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowWarning] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eab10 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eac30 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eab10 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eac30 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eab10 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowInactive] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x8405f20 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x8406040 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x8405f20 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x8406040 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x8405f20 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowExpire] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ead80 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83f65b0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ead80 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83f65b0 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ead80 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [shadowFlag] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eaaa0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eab50 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eaaa0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eab50 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eaaa0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [pwdAttribute] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eacb0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83eadd0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eacb0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83eadd0 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eacb0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [authorizedService] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83f65e0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83f6700 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83f65e0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83f6700 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83f65e0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [adAccountExpires] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83f6650 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83f6770 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83f6650 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83f6770 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83f6650 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [adUserAccountControl] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83f6710 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83f6830 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83f6710 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83f6830 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83f6710 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sysdb_remove_attrs] > (8): Removing attribute [nsAccountLock] from [username] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83eacb0 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83f6830 > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83eacb0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83f6830 "ltdb_timeout" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83eacb0 "ltdb_callback" > > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): cancel ldb > transaction (nesting: 3) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_user] (9): Commit change > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_user] (9): Process user's groups > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=developers,cn=groups,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 123 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee160], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee160], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > cn=developers,cn=groups,cn=accounts,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=8933b03e-031f-11e5-aeb6-005056b71d17,cn=hbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 124 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > ipaUniqueID=8933b03e-031f-11e5-aeb6-005056b71d17,cn=hbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=5b317c38-04c9-11e5-b973-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 125 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > ipaUniqueID=5b317c38-04c9-11e5-b973-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=GR Read > Only,cn=roles,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 126 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=GR Read > Only,cn=roles,cn=accounts,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=deployment_engineer,cn=groups,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 127 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > cn=deployment_engineer,cn=groups,cn=accounts,dc=ipadomain,dc=net, returned > 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 128 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_parse_entry] > (9): OriginalDN: [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Replication > Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 129 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Replication > Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Add Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 130 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Add Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Modify Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 131 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Modify Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Remove Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 132 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Remove Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 133 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Read LDBM Database > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 134 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Read LDBM Database > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Read DNA > Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 135 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Read DNA > Range,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Read PassSync Managers > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 136 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Read PassSync > Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Modify PassSync Managers > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 137 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Modify PassSync > Managers Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Add Configuration > Sub-Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 138 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Add Configuration > Sub-Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Read Replication > Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 139 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Read > Replication Agreements,cn=permissions,cn=pbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=Host > Enrollment,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 140 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=Host > Enrollment,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Add > Hosts,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 141 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Add > Hosts,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Add krbPrincipalName to a > Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 142 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Add > krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Enroll a > Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 143 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Enroll a > Host,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host > Certificates,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 144 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host > Certificates,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Enrollment > Password,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 145 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host > Enrollment Password,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 146 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host > Keytab,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=DNS > Administrator,cn=roles,cn=accounts,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 147 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=DNS > Administrator,cn=roles,cn=accounts,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=DNS > Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 148 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=DNS > Administrators,cn=privileges,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNS > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 149 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNS > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Write DNS > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 150 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Write DNS > Configuration,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 > results. Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Add DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 151 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Add DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 152 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Read DNSSEC > metadata,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 153 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Read DNSSEC > metadata,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Remove DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 154 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Remove DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Update DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 155 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:39 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83ee090], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Update DNS > Entries,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=System: Modify Realm > Domains,cn=permissions,cn=pbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 156 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group cn=System: Modify Realm > Domains,cn=permissions,cn=pbac,dc=ipadomain,dc=net, returned 0 results. > Skipping > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=33381f3e-0320-11e5-8c1b-005056b71d17,cn=hbac,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 157 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > ipaUniqueID=33381f3e-0320-11e5-8c1b-005056b71d17,cn=hbac,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (6): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][ipaUniqueID=d79d0cfa-04b6-11e5-9f43-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net]. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [objectClass] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [cn] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [userPassword] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [member] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 158 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[0x83edf50], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_search] (2): Search for group > ipaUniqueID=d79d0cfa-04b6-11e5-9f43-005056b71d17,cn=sudorules,cn=sudo,dc=ipadomain,dc=net, > returned 0 results. Skipping > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ed490 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83ed5b0 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ed490 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83ed5b0 "ltdb_timeout" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ed490 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sysdb_get_direct_parents] (8): searching sysdb with filter > [(&(objectClass=group)(member=name=admins,cn=groups,cn=ipadomain.net,cn=sysdb))] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ed6d0 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83ed780 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ed6d0 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83ed780 "ltdb_timeout" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ed6d0 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sysdb_get_direct_parents] (7): admins is a member of 0 sysdb groups > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_get_direct_parents] (9): Looking up direct parents for > group [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_get_direct_parents] (9): The group > [cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=net] has 0 direct parents > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_nested_get_membership_diff] (7): The group admins is a direct > member of 0 LDAP groups > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_store_user_memberships] (7): The user username is a direct > member of 0 LDAP groups > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sysdb_get_direct_parents] (8): searching sysdb with filter > [(&(objectClass=group)(member=name=username,cn=users,cn=ipadomain.net,cn=sysdb))] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ed260 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83ed910 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ed260 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83ed910 "ltdb_timeout" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ed260 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sysdb_get_direct_parents] (7): username is a member of 0 sysdb groups > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_initgr_store_user_memberships] (8): Updating memberships for > username > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): start ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 2) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 1) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): commit ldb > transaction (nesting: 0) > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_get_initgr_done] (9): Initgroups done > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sdap_id_op_connect_step] (9): reusing cached connection > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_destroy] > (9): releasing operation connection > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_id_op_done] > (9): releasing operation connection > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [acctinfo_callback] > (4): Request processed. Returned 0,0,Success > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: sh[0x83cf0d0], connected[1], ops[(nil)], ldap[0x83d0370] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83C4D10 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [pamHandler] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [be_pam_handler] (4): > Got request with the following data > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > command: PAM_AUTHENTICATE > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > domain: ipadomain.net > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > user: username > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > service: sshd > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > tty: ssh > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > ruser: > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > rhost: 10.5.5.57 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > authtok type: 1 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > authtok size: 13 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > newauthtok type: 0 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > newauthtok size: 0 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > priv: 0 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [pam_print_data] (4): > cli_pid: 11198 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_callback": 0x83ccbb0 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Added timed event "ltdb_timeout": 0x83cef20 > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Running timer event 0x83ccbb0 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Destroying timer event 0x83cef20 "ltdb_timeout" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [ldb] (9): tevent: > Ending timer event 0x83ccbb0 "ltdb_callback" > > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_auth_send] (4): > No ccache file for user [username] found. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_auth_send] (9): > Ccache_file is [not set] and is not active and TGT is not valid. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [fo_resolve_service_send] (4): Trying to resolve service 'IPA' > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_server_status] > (7): Status of server 'dc1.ipadomain.net' is 'name resolved' > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_port_status] > (7): Port status of port 389 for server 'dc1.ipadomain.net' is 'working' > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [resolve_srv_send] > (6): The status of SRV lookup is resolved > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [get_server_status] > (7): Status of server 'dc1.ipadomain.net' is 'name resolved' > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [be_resolve_server_done] (7): Saving the first resolved server > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [be_resolve_server_done] (4): Found address for server dc1.ipadomain.net: > [10.21.0.99] TTL 1200 > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [krb5_find_ccache_step] (9): Recreating ccache file. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_handler_setup] > (8): Setting up signal handler up for pid [11200] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_handler_setup] > (8): Signal handler set up for pid [11200] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [write_pipe_handler] > (6): All data has been sent! > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [read_pipe_handler] > (6): EOF received, client finished > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [krb5_child_done] > (9): child response [4][1][31]. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [be_pam_handler_callback] (4): Backend returned: (0, 4, ) [Success] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [be_pam_handler_callback] (4): Sending result [4][ipadomain.net] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] > [be_pam_handler_callback] (4): Sent result [4][ipadomain.net] > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_sig_handler] > (7): Waiting for child [11200]. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [child_sig_handler] > (4): child [11200] finished successfully. > (Fri Sep 25 16:48:40 2015) [sssd[be[ipadomain.net]]] [sss_child_handler] > (8): waitpid failed [10]: No child processes > (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > dbus conn: 83B4700 > (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] [sbus_dispatch] (9): > Dispatching. > (Fri Sep 25 16:48:49 2015) [sssd[be[ipadomain.net]]] > [sbus_message_handler] (9): Received SBUS method [ping] > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From mlasevich at gmail.com Sat Sep 26 07:20:09 2015 From: mlasevich at gmail.com (Michael Lasevich) Date: Sat, 26 Sep 2015 00:20:09 -0700 Subject: [Freeipa-users] How to turn off RC4 in 389ds??? In-Reply-To: <5603AD69.1060209@redhat.com> References: <56028065.9060406@redhat.com> <5602C300.1020906@redhat.com> <5603AD69.1060209@redhat.com> Message-ID: That did it. Thank you. On Thu, Sep 24, 2015 at 12:59 AM, Martin Kosek wrote: > Hello Michael, > > It is possible that this problem comes from obsolete package in the > mkosek/freeipa COPR repo, which was fixed in Fedora/RHEL, but not there. > > Can you please try to update the 389-ds-base from > > https://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > ? I rebuilt the latest F21 389-ds-base to the repo, there were some > related fixes. > > Thanks, > Martin > > On 09/23/2015 05:50 PM, Michael Lasevich wrote: > > No difference. It is as if this setting is being overwritten somewhere > deep > > in 389ds, because the "error" log correctly reflects the changes, but the > > actual process does not. (and yes, I verified that the process actually > > shuts down and start up again when I restart it) > > > > ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" > > # encryption, config > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > sslVersionMin: TLS1.0 > > nsSSL3Ciphers: +all > > allowWeakCipher: off > > nsSSL3: off > > nsSSL2: off > > ... (skipping nssslenabledciphers's) ... > > nsTLS1: on > > sslVersionMax: TLS1.2 > > > > SLAPD error log got longer: > > > > SSL Initialization - Configured SSL version range: min: TLS1.0, max: > TLS1.2 > > [23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_SEED_CBC_SHA: > > enabled > > [23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 > starting > > up > > > > SSLScan Output: > > > > sslscan --no-failed localhost:636 > > > > ... > > Supported Server Cipher(s): > > Accepted TLSv1 256 bits AES256-SHA > > Accepted TLSv1 128 bits AES128-SHA > > Accepted TLSv1 128 bits DES-CBC3-SHA > > Accepted TLSv1 128 bits RC4-SHA > > Accepted TLSv1 128 bits RC4-MD5 > > Accepted TLS11 256 bits AES256-SHA > > Accepted TLS11 128 bits AES128-SHA > > Accepted TLS11 128 bits DES-CBC3-SHA > > Accepted TLS11 128 bits RC4-SHA > > Accepted TLS11 128 bits RC4-MD5 > > Accepted TLS12 256 bits AES256-SHA256 > > Accepted TLS12 256 bits AES256-SHA > > Accepted TLS12 128 bits AES128-GCM-SHA256 > > Accepted TLS12 128 bits AES128-SHA256 > > Accepted TLS12 128 bits AES128-SHA > > Accepted TLS12 128 bits DES-CBC3-SHA > > Accepted TLS12 128 bits RC4-SHA > > Accepted TLS12 128 bits RC4-MD5 > > > > > > On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz > > wrote: > > > >> > >> On 09/23/2015 05:05 PM, Michael Lasevich wrote: > >> > >> Yes, I am talking about 389ds as is integrated in FreeIPA (would be > silly > >> to post completely non-IPA questions to this list...). > >> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 > no > >> matter what I do. > >> > >> I am running "CentOS Linux release 7.1.1503 (Core)" > >> > >> Relevant Packages: > >> > >> freeipa-server-4.1.4-1.el7.centos.x86_64 > >> 389-ds-base-1.3.3.8-1.el7.centos.x86_64 > >> nss-3.19.1-5.el7_1.x86_64 > >> openssl-1.0.1e-42.el7.9.x86_64 > >> > >> LDAP setting (confirmed that in error.log there is no menition of RC4 in > >> list of ciphers): > >> > >> nsSSL3Ciphers: > >> > -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha > >> > >> with ipa the config entry should contain: > >> > >> dn: cn=encryption,cn=config > >> allowWeakCipher: off > >> nsSSL3Ciphers: +all > >> > >> could you try this setting > >> > >> Slapd "error" log showing no ciphersuites supporting RC4: > >> > >> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version > >> range: min: TLS1.0, max: TLS1.2 > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not > >> available in NSS 3.16. Ignoring fortezza > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite > >> fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring > >> fortezza_rc4_128_sha > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is > >> not available in NSS 3.16. Ignoring fortezza_null > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_RSA_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_RSA_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128 > >> starting up > >> > >> But sslscan returns: > >> > >> $ sslscan --no-failed localhost:636 > >> ... > >> > >> Supported Server Cipher(s): > >> > >> Accepted TLSv1 256 bits AES256-SHA > >> Accepted TLSv1 128 bits AES128-SHA > >> Accepted TLSv1 128 bits DES-CBC3-SHA > >> Accepted TLSv1 128 bits RC4-SHA > >> Accepted TLSv1 128 bits RC4-MD5 > >> Accepted TLS11 256 bits AES256-SHA > >> Accepted TLS11 128 bits AES128-SHA > >> Accepted TLS11 128 bits DES-CBC3-SHA > >> Accepted TLS11 128 bits RC4-SHA > >> Accepted TLS11 128 bits RC4-MD5 > >> Accepted TLS12 256 bits AES256-SHA256 > >> Accepted TLS12 256 bits AES256-SHA > >> Accepted TLS12 128 bits AES128-GCM-SHA256 > >> Accepted TLS12 128 bits AES128-SHA256 > >> Accepted TLS12 128 bits AES128-SHA > >> Accepted TLS12 128 bits DES-CBC3-SHA > >> Accepted TLS12 128 bits RC4-SHA > >> Accepted TLS12 128 bits RC4-MD5 > >> > >> ... > >> > >> > >> I would assume the sslscan is broken, but nmap and other scanners all > >> confirm that RC4 is still on. > >> > >> -M > >> > >> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek > wrote: > >> > >>> On 09/23/2015 11:00 AM, Michael Lasevich wrote: > >>>> OK, this is most bizarre issue, > >>>> > >>>> I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) > >>> and > >>>> for the life of me cannot get it to work > >>>> > >>>> I have followed many nearly identical instructions to create ldif file > >>> and > >>>> change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple > >>> enough - > >>>> and I get it to take, and during the startup I can see the right SSL > >>> Cipher > >>>> Suites listed in errors.log - but when it starts and I probe it, RC4 > >>>> ciphers are still there. I am completely confused. > >>>> > >>>> I tried setting "nsSSL3Ciphers" to "default" (which does not have > "RC4") > >>>> and to old style cyphers lists(lowercase), and new style cypher > >>>> lists(uppercase), and nothing seems to make any difference. > >>>> > >>>> Any ideas? > >>>> > >>>> -M > >>> > >>> Are you asking about standalone 389-DS or the one integrated in > FreeIPA? > >>> As > >>> with currently supported versions of FreeIPA, RC4 ciphers should be > >>> already > >>> gone, AFAIK. > >>> > >>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: > >>> > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687 > >>> https://fedorahosted.org/freeipa/ticket/4653 > >>> > >> > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at interlinx.bc.ca Sat Sep 26 18:26:56 2015 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Sat, 26 Sep 2015 14:26:56 -0400 Subject: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t In-Reply-To: <20150924052357.GD7201@redhat.com> References: <1443051323.7486.76.camel@interlinx.bc.ca> <20150924052357.GD7201@redhat.com> Message-ID: <1443292016.7486.240.camel@interlinx.bc.ca> On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: OK. I have refreshed my memory of how Kerberos works. > The sequence above: > > - Sets a random Kerberos key for a principal named > asterisk at EXAMPLE.COM > on IPA KDC and stores it to the local keytab file asterisk.keytab Yes. That keytab is intended to be the machine equivalent of the human who enters their password at a kinit prompt. > - tries to use a key for > asterisk at EXAMPLE.COM to obtain ticket > granting > ticket as > imap/linux.example.com at EXAMPE.COM Why would it try to obtain a TGT as the imap/linux.example.com principle? It should be trying to obtain a TGT as the asterisk at example.com principle, exactly as a human named "asterisk" would do using kinit. The goal here is to have the daemon authenticate to the KDC as asterisk at example.com and then use that TGT to get service tickets to the imap service so that it authenticates to the imap service as the user "asterisk". I suppose the other way, is to give the daemon the imap principle's key and let it forge service tickets but that would require the daemon to know that that is what is doing. It does not know that. It is just acting like an imap client as any other imap client that uses kerberos does. To be perfectly clear, this daemon only wants to authenticate as the single user "asterisk" to the imap server. It does not need to authenticate as many users. Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From rsvancara at wsu.edu Sat Sep 26 19:08:16 2015 From: rsvancara at wsu.edu (Svancara, Randall) Date: Sat, 26 Sep 2015 19:08:16 +0000 Subject: [Freeipa-users] Setting up Domain Trust with Active Directory w2008R2 Message-ID: <1F880D7A2494B346B5AB96481EAE704A2406EAD8@EXMB-03.ad.wsu.edu> Hi, Trying to establish a trust relationship between a test domain that I have configured on windows server 2008r2 with FreeIPA 4.1.2 (Centos 7). I have enabled debugging and I attempt to run the following command: ipa trust-add --type=ad ad.winblows --admin Administrator --password The http error logs emit the following output provided below. Looks like something connects to the domain controller perforing the CLDAP query, but then there is a second section that appears to have a problem with "non-public: KeyError: 'dns_hostname' Addrs = 172.16.1.253 at 389/ad1 finddcs: DNS SRV response 0 at '172.16.1.253' finddcs: performing CLDAP query on 172.16.1.253 s4_tevent: Added timed event "tevent_req_timedout": 0x7fbfc8220e80 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbfc8045660 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbfc8045660 s4_tevent: Added timed event "tevent_req_timedout": 0x7fbfc8045c00 s4_tevent: Destroying timer event 0x7fbfc8220e80 "tevent_req_timedout" s4_tevent: Destroying timer event 0x7fbfc8045c00 "tevent_req_timedout" &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000033fd (13309) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 4a9706c2-e025-4556-a48b-f0e15941b60e forest : 'ad.winblows' dns_domain : 'ad.winblows' pdc_dns_name : 'ad1.ad.winblows' domain_name : 'AD' pdc_name : 'AD1' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 172.16.1.253 with server_type=0x000033fd [Sat Sep 26 12:01:24.624183 2015] [:error] [pid 8407] ipa: ERROR: LDAP error when connecting to AD1: {'desc': "Can't contact LDAP server"} lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file "/usr/share/ipa/smb.conf.empty" Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes [Sat Sep 26 12:01:24.625956 2015] [:error] [pid 8407] ipa: ERROR: non-public: KeyError: 'dns_hostname' [Sat Sep 26 12:01:24.625970 2015] [:error] [pid 8407] Traceback (most recent call last): [Sat Sep 26 12:01:24.625974 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Sat Sep 26 12:01:24.625977 2015] [:error] [pid 8407] result = self.Command[name](*args, **options) [Sat Sep 26 12:01:24.625982 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Sat Sep 26 12:01:24.625985 2015] [:error] [pid 8407] ret = self.run(*args, **options) [Sat Sep 26 12:01:24.625988 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Sat Sep 26 12:01:24.625991 2015] [:error] [pid 8407] return self.execute(*args, **options) [Sat Sep 26 12:01:24.625994 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 473, in execute [Sat Sep 26 12:01:24.625997 2015] [:error] [pid 8407] old_range, range_name, dom_sid = self.validate_range(*keys, **options) [Sat Sep 26 12:01:24.626000 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 663, in validate_range [Sat Sep 26 12:01:24.626004 2015] [:error] [pid 8407] self.realm_passwd [Sat Sep 26 12:01:24.626007 2015] [:error] [pid 8407] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1170, in populate_remote_domain [Sat Sep 26 12:01:24.626010 2015] [:error] [pid 8407] td.retrieve(rd.info['dns_hostname']) [Sat Sep 26 12:01:24.626013 2015] [:error] [pid 8407] KeyError: 'dns_hostname' [Sat Sep 26 12:01:24.626447 2015] [:error] [pid 8407] ipa: INFO: [jsonserver_session] admin at LOCAL: trust_add(u'ad.winblows', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): KeyError -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Sun Sep 27 13:21:52 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 27 Sep 2015 06:21:52 -0700 Subject: [Freeipa-users] password resets - errors Message-ID: <5607ED70.7070003@gmail.com> Hello, I continue to see these a lot, but only on some servers. It causes a lot of confusions with my users. There must be a way to troubleshoot this and find the issue. Also, there is nothing wrong with the password policies. They are all set to default, and this occurs even when a user's password has expired. The only thing I can say is it tends to happen on more heavily loaded servers than lightly loaded ones. And perhaps the most important point - the password *IS* changed successfully! Changing password for user expired-user. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error Thoughts? Anything? ~Janelle From yamakasi.014 at gmail.com Sun Sep 27 11:34:49 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 27 Sep 2015 13:34:49 +0200 Subject: [Freeipa-users] What todo when a company/domain name should be changed ? Message-ID: Hi All, I'm investigating what the possibillities are when you have a existing domain/realm and the company name is changed, so the domain should be also. I came on this idea because of I wanted to know how flexible the integration is here. As we use in my opinion a very simple and dumb node setup, we are very able to move around as we want, but how is this done at other companies ? To start with DNS I would setup a new IPA server with the new domain and forward this domain from te old ipa server and start moving over servers and create a new hostkey for them. As loadbalancers are in place in lost of setups this very easy todo witout downtime. I'm more wondered about how the users and their related groups an be moved over, or would this be done using migrate-ds or something ? As the domain changes, so the dc= string too... the reference of the groups is missing. I hope someone can make this more clear as I think this is good knowledge to have upfront anything and any case. Thanks! matt From abokovoy at redhat.com Mon Sep 28 06:48:20 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 28 Sep 2015 09:48:20 +0300 Subject: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t In-Reply-To: <1443292016.7486.240.camel@interlinx.bc.ca> References: <1443051323.7486.76.camel@interlinx.bc.ca> <20150924052357.GD7201@redhat.com> <1443292016.7486.240.camel@interlinx.bc.ca> Message-ID: <20150928064820.GA4539@redhat.com> On Sat, 26 Sep 2015, Brian J. Murrell wrote: >On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: > >OK. I have refreshed my memory of how Kerberos works. > >> The sequence above: >> >> - Sets a random Kerberos key for a principal named >> asterisk at EXAMPLE.COM >> on IPA KDC and stores it to the local keytab file asterisk.keytab > >Yes. That keytab is intended to be the machine equivalent of the human >who enters their password at a kinit prompt. Ok, I wanted to know what you were trying to achieve. > >> - tries to use a key for >> asterisk at EXAMPLE.COM to obtain ticket >> granting >> ticket as >> imap/linux.example.com at EXAMPE.COM > >Why would it try to obtain a TGT as the imap/linux.example.com >principle? It should be trying to obtain a TGT as the >asterisk at example.com principle, exactly as a human named "asterisk" >would do using kinit. Because *you* asked it to do so: $ man kinit ... SYNOPSIS kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]] [-c cache_name] [-n] [-S service_name] [-I input_ccache] [-T armor_ccache] [-X attribute[=value]] [principal] DESCRIPTION kinit obtains and caches an initial ticket-granting ticket for principal. So, when you run kinit as kinit -k -t /path/to/keytab imap/linux.example.com You are asking "take the key for imap/linux.example.com from the /path/to/keytab and obtain a ticket granting ticket from KDC using these credentials". >The goal here is to have the daemon authenticate to the KDC as >asterisk at example.com and then use that TGT to get service tickets to >the imap service so that it authenticates to the imap service as the >user "asterisk". And that would be kinit -k -t /path/to/keytab asterisk That's enough. Not specifying the principal would mean using a default (host/fqdn), not whatever is the principal in the keytab. >I suppose the other way, is to give the daemon the imap principle's key >and let it forge service tickets but that would require the daemon to >know that that is what is doing. It does not know that. It is just >acting like an imap client as any other imap client that uses kerberos >does. To be perfectly clear, this daemon only wants to authenticate as >the single user "asterisk" to the imap server. It does not need to >authenticate as many users. Yes. Once you've obtained a TGT in the current ccache, your application can request the service ticket (imap/linux.example.com) automatically. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Sep 28 06:51:02 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 28 Sep 2015 09:51:02 +0300 Subject: [Freeipa-users] Setting up Domain Trust with Active Directory w2008R2 In-Reply-To: <1F880D7A2494B346B5AB96481EAE704A2406EAD8@EXMB-03.ad.wsu.edu> References: <1F880D7A2494B346B5AB96481EAE704A2406EAD8@EXMB-03.ad.wsu.edu> Message-ID: <20150928065102.GB4539@redhat.com> On Sat, 26 Sep 2015, Svancara, Randall wrote: >Hi, > >Trying to establish a trust relationship between a test domain that I >have configured on windows server 2008r2 with FreeIPA 4.1.2 (Centos 7). > >I have enabled debugging and I attempt to run the following command: > >ipa trust-add --type=ad ad.winblows --admin Administrator --password > >The http error logs emit the following output provided below. Looks >like something connects to the domain controller perforing the CLDAP >query, but then there is a second section that appears to have a >problem with "non-public: KeyError: 'dns_hostname' This looks like https://fedorahosted.org/freeipa/ticket/4570 We fixed it with refactoring of IPA trust-add code in FreeIPA 4.2.1. It is going to come to CentOS 7 eventually once RHEL 7.2 is released (beta is out already). -- / Alexander Bokovoy From jhrozek at redhat.com Mon Sep 28 07:11:10 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 28 Sep 2015 09:11:10 +0200 Subject: [Freeipa-users] password resets - errors In-Reply-To: <5607ED70.7070003@gmail.com> References: <5607ED70.7070003@gmail.com> Message-ID: <20150928071110.GT7272@hendrix.redhat.com> On Sun, Sep 27, 2015 at 06:21:52AM -0700, Janelle wrote: > Hello, > > I continue to see these a lot, but only on some servers. It causes a lot of > confusions with my users. There must be a way to troubleshoot this and find > the issue. Also, there is nothing wrong with the password policies. They are > all set to default, and this occurs even when a user's password has expired. > The only thing I can say is it tends to happen on more heavily loaded > servers than lightly loaded ones. And perhaps the most important point - the > password *IS* changed successfully! > > Changing password for user expired-user. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life has > not expired > > Password not changed. > passwd: Authentication token manipulation error > > Thoughts? Anything? > > ~Janelle Is there anything interesting in either the client side or the server side logs? From andreas.calminder at nordnet.se Mon Sep 28 10:27:47 2015 From: andreas.calminder at nordnet.se (Andreas Calminder) Date: Mon, 28 Sep 2015 12:27:47 +0200 Subject: [Freeipa-users] ipa-server-install and ipactl fails after reboot Message-ID: <56091623.9090302@nordnet.se> Hello, I have a really strange problem while installing the ipa-server. I've installed the server like this: # ipa-server-install --idstart=76400000 -N --realm=DOMAIN.TLD --hostname=idm1.sub.domain.tld -n domain.tld --external-ca --external-ca-type=ms-cs I get he csr and send it off to our AD admin, I poweroff the machine and take a snapshot, because you know, if anything goes wrong I want a clean snapshot. I startup the machine and try to run the installer a second time, like suggested by the installer: # ipa-server-install --external-cert-file=/tmp/ipa.crt --external-cert-file=/tmp/ca_chain.crt It fails with Unable to access directory server: Can't contact ldap server. Ok, fine because it wasn't started after reboot. # ipactl start Starting Directory Service Failed to read data from service file: Failed to get list of services to probe status! Configured hostname 'idm1.sub.domain.tld' does not match any master server in LDAP: idm1.sub.domain.tld Shutting down I reverted back to my snapshot, I still get the same error message. I can start the dirsrv without problem with systemctl start dirsrv at DOMAIN-TLD. Running ipactl -d: ipactl -d status ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: Starting external process ipa: DEBUG: args='klist' '-V' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.12.2 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at DOMAIN-TLD.service' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at DOMAIN-TLD.service' ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-NORDNET-SE.socket from SchemaCache ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket conn= ipa: DEBUG: File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/usr/sbin/ipactl", line 517, in main ipa_status(options) File "/usr/sbin/ipactl", line 439, in ipa_status raise e ipa: DEBUG: The ipactl command failed, exception: IpactlError: Failed to get list of services to probe status! Configured hostname 'idm1.sub.domain.tld' does not match any master server in LDAP: idm1.sub.domain.tld Failed to get list of services to probe status! Configured hostname 'idm1.sub.domain.tld' does not match any master server in LDAP: idm1.sub.domain.tld Any help or pointers greatly appreciated! Regards, Andreas From andreas.calminder at nordnet.se Mon Sep 28 11:14:21 2015 From: andreas.calminder at nordnet.se (Andreas Calminder) Date: Mon, 28 Sep 2015 13:14:21 +0200 Subject: [Freeipa-users] ipa-server-install and ipactl fails after reboot In-Reply-To: <56091623.9090302@nordnet.se> References: <56091623.9090302@nordnet.se> Message-ID: <5609210D.3040000@nordnet.se> Solved this on my own. In case anyone else hits this on rhel7 ipa-server 4.1.0-18, just start the dirsrv and tomcat instances by hand: # systemctl start dirsrv at REALM.NAME # systemctl start pki-tomcatd at pki-tomcat.service and then run your installer again: # ipa-server-install --external-cert-file=ca_chain_and_ipa_cert.pem Sorry for the noise! /andreas On 09/28/2015 12:27 PM, Andreas Calminder wrote: > Hello, > I have a really strange problem while installing the ipa-server. I've > installed the server like this: > # ipa-server-install --idstart=76400000 -N --realm=DOMAIN.TLD > --hostname=idm1.sub.domain.tld -n domain.tld --external-ca > --external-ca-type=ms-cs > > I get he csr and send it off to our AD admin, I poweroff the machine > and take a snapshot, because you know, if anything goes wrong I want a > clean snapshot. I startup the machine and try to run the installer a > second time, like suggested by the installer: > # ipa-server-install --external-cert-file=/tmp/ipa.crt > --external-cert-file=/tmp/ca_chain.crt > > It fails with Unable to access directory server: Can't contact ldap > server. > > Ok, fine because it wasn't started after reboot. > > # ipactl start > Starting Directory Service > Failed to read data from service file: Failed to get list of services > to probe status! > Configured hostname 'idm1.sub.domain.tld' does not match any master > server in LDAP: > idm1.sub.domain.tld > Shutting down > > I reverted back to my snapshot, I still get the same error message. I > can start the dirsrv without problem with systemctl start > dirsrv at DOMAIN-TLD. > > Running ipactl -d: > ipactl -d status > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.7/site-packages/ipalib/plugins'... > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' > ipa: DEBUG: Starting external process > ipa: DEBUG: args='klist' '-V' > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=Kerberos 5 version 1.12.2 > > ipa: DEBUG: stderr= > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' > ipa: DEBUG: Starting external process > ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at DOMAIN-TLD.service' > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv at DOMAIN-TLD.service' > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-NORDNET-SE.socket > from SchemaCache > ipa: DEBUG: retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-TLD.socket > conn= > ipa: DEBUG: File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 646, in run_script > return_value = main_function() > > File "/usr/sbin/ipactl", line 517, in main > ipa_status(options) > > File "/usr/sbin/ipactl", line 439, in ipa_status > raise e > > ipa: DEBUG: The ipactl command failed, exception: IpactlError: Failed > to get list of services to probe status! > Configured hostname 'idm1.sub.domain.tld' does not match any master > server in LDAP: > idm1.sub.domain.tld > Failed to get list of services to probe status! > Configured hostname 'idm1.sub.domain.tld' does not match any master > server in LDAP: > idm1.sub.domain.tld > > Any help or pointers greatly appreciated! > > Regards, > Andreas > From ladanyi at ira.uka.de Sat Sep 26 11:35:20 2015 From: ladanyi at ira.uka.de (ladanyi at ira.uka.de) Date: Sat, 26 Sep 2015 13:35:20 +0200 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: <56053FCF.5060204@kit.edu> Message-ID: <20150926133520.Horde.u4Q5O-mWih7NhLl6ve5-8Q6@webmail.informatik.kit.edu> Hi Bahan, > Hey. > > Try to remove the cert file in /etc/ipa of this client. > > And then retry. > this was perfect :-) Thank you. > Best regards. > > Bahan Andy > Hi, > > I want to install ipa client: ipa-client-install -d > > I get the following error: > > Verifying that "MyFreeIPA Server" (realm None) is an IPA server > Init LDAP connection to: "MyFreeIPA Server" > Error checking LDAP: Connect error: TLS error -8054:You are attempting > to import a cert with the same issuer/serial as an existing cert, but > that is not the same cert. > Skip "MyFreeIPA Server" : cannot verify if this is an IPA server > Discovery result: UNKNOWN_ERROR; ................................... > Validated servers: > Failed to verify that "MyFreeIPA Server" is an IPA Server. > This may mean that the remote server is not up or is not reachable due > to network or firewall settings. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > "MyFreeIPA Server" : Provided interactively) > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > selinux on the ipa client and ipa server ist permissive, iptables is empty. > > It seems to be a problem with the SSL certificate of freeipa. > > > About the client: > > rpm -qi ipa-client > Name : ipa-client > Version : 4.1.0 > Release : 18.el7.centos.4 > > > About the freeipa server: > > rpm -qi freeipa-server > Name : freeipa-server > Version : 4.1.4 > Release : 1.fc21 > > > regards, > Andy From martin at stefany.eu Sat Sep 26 15:35:59 2015 From: martin at stefany.eu (=?UTF-8?Q?Martin_=C5=A0tefany?=) Date: Sat, 26 Sep 2015 21:05:59 +0530 Subject: [Freeipa-users] CentOS7: certmonger not enabled by default? Message-ID: Hello all, I'd to verify with you if certmonger.service should be enabled by default after IPA client installation or not. If I remember correctly, it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client installation and reboots. The thing is, for first time usage and subsequent certificate renewal one needs to start and enable certmonger.service in systemd, right? Otherwise all ipa-getcert commands just return error about certmonger not running. I mean, is this desired and default behavior? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/setting-up-clients.html actually claims: 'Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb.' so one or the other is wrong... I'm using: CentOS Linux release 7.1.1503 (Core) certmonger-0.75.14-3.el7.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 libipa_hbac-1.12.2-58.el7_1.17.x86_64 libipa_hbac-python-1.12.2-58.el7_1.17.x86_64 python-iniparse-0.4-9.el7.noarch python-ipaddr-2.1.9-5.el7.noarch sssd-ipa-1.12.2-58.el7_1.17.x86_64 I've tried to search for this on both CentOS and RHEL BugZilla, and FreeIPA trac, and Google, but I couldn't find any bug or discussion. Sorry if this duplicate. Thank you. Martin From rcritten at redhat.com Mon Sep 28 13:03:58 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2015 09:03:58 -0400 Subject: [Freeipa-users] CentOS7: certmonger not enabled by default? In-Reply-To: References: Message-ID: <56093ABE.6090408@redhat.com> Martin ?tefany wrote: > Hello all, > > I'd to verify with you if certmonger.service should be enabled by > default after IPA client installation or not. If I remember correctly, > it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client > installation and reboots. > > The thing is, for first time usage and subsequent certificate renewal > one needs to start and enable certmonger.service in systemd, right? > Otherwise all ipa-getcert commands just return error about certmonger > not running. I mean, is this desired and default behavior? > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/setting-up-clients.html > actually claims: 'Enable certmonger, retrieve an SSL server certificate, > and install the certificate in /etc/pki/nssdb.' so one or the other is > wrong... > > I'm using: > > CentOS Linux release 7.1.1503 (Core) > > certmonger-0.75.14-3.el7.x86_64 > ipa-client-4.1.0-18.el7.centos.4.x86_64 > ipa-python-4.1.0-18.el7.centos.4.x86_64 > libipa_hbac-1.12.2-58.el7_1.17.x86_64 > libipa_hbac-python-1.12.2-58.el7_1.17.x86_64 > python-iniparse-0.4-9.el7.noarch > python-ipaddr-2.1.9-5.el7.noarch > sssd-ipa-1.12.2-58.el7_1.17.x86_64 > > I've tried to search for this on both CentOS and RHEL BugZilla, and > FreeIPA trac, and Google, but I couldn't find any bug or discussion. > Sorry if this duplicate. As of IPA 4.0.0 the client no longer always gets a host certificate so certmonger isn't started. rob From rcritten at redhat.com Mon Sep 28 13:10:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2015 09:10:57 -0400 Subject: [Freeipa-users] password resets - errors In-Reply-To: <5607ED70.7070003@gmail.com> References: <5607ED70.7070003@gmail.com> Message-ID: <56093C61.7040005@redhat.com> Janelle wrote: > Hello, > > I continue to see these a lot, but only on some servers. It causes a lot > of confusions with my users. There must be a way to troubleshoot this > and find the issue. Also, there is nothing wrong with the password > policies. They are all set to default, and this occurs even when a > user's password has expired. The only thing I can say is it tends to > happen on more heavily loaded servers than lightly loaded ones. And > perhaps the most important point - the password *IS* changed successfully! > > Changing password for user expired-user. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life > has not expired > > Password not changed. > passwd: Authentication token manipulation error > > Thoughts? Anything? > > ~Janelle > What tool is changing the expired password? I'd be curious to see the password policy for the user, ipa pwpolicy-show --user= Seeing the krbLastPwdChange and krbPasswordExpiration might be handy too. rob From janellenicole80 at gmail.com Mon Sep 28 13:46:24 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 28 Sep 2015 06:46:24 -0700 Subject: [Freeipa-users] password resets - errors In-Reply-To: <56093C61.7040005@redhat.com> References: <5607ED70.7070003@gmail.com> <56093C61.7040005@redhat.com> Message-ID: <560944B0.6050509@gmail.com> On 9/28/15 6:10 AM, Rob Crittenden wrote: > Janelle wrote: >> Hello, >> >> I continue to see these a lot, but only on some servers. It causes a lot >> of confusions with my users. There must be a way to troubleshoot this >> and find the issue. Also, there is nothing wrong with the password >> policies. They are all set to default, and this occurs even when a >> user's password has expired. The only thing I can say is it tends to >> happen on more heavily loaded servers than lightly loaded ones. And >> perhaps the most important point - the password *IS* changed successfully! >> >> Changing password for user expired-user. >> Current Password: >> New password: >> Retype new password: >> Password change failed. Server message: Current password's minimum life >> has not expired >> >> Password not changed. >> passwd: Authentication token manipulation error >> >> Thoughts? Anything? >> >> ~Janelle >> > What tool is changing the expired password? > > I'd be curious to see the password policy for the user, ipa > pwpolicy-show --user= > > Seeing the krbLastPwdChange > and krbPasswordExpiration might be handy too. > > rob Hi, I was hoping it would not go off on this tangent. All users have the default PW policy -- there are no differences and every single user has the same problem. The tool is simple "passwd" or, in the case of some users who have actually hit the 90 expiry, nothing more than a simple login followed by the system saying your password has expired, please change it. The krbLastPwdChange shows the exact day/time of the user changing their PW, in this case, when this error occurs. The expiration shows 90 days from that time. If you see the specifics I mentioned, even though the error is presented, the password is actually changed. Really confused with this one. ~J From janellenicole80 at gmail.com Mon Sep 28 13:56:41 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 28 Sep 2015 06:56:41 -0700 Subject: [Freeipa-users] password resets - errors In-Reply-To: <56093C61.7040005@redhat.com> References: <5607ED70.7070003@gmail.com> <56093C61.7040005@redhat.com> Message-ID: <56094719.7050508@gmail.com> On 9/28/15 6:10 AM, Rob Crittenden wrote: > Janelle wrote: >> Hello, >> >> I continue to see these a lot, but only on some servers. It causes a lot >> of confusions with my users. There must be a way to troubleshoot this >> and find the issue. Also, there is nothing wrong with the password >> policies. They are all set to default, and this occurs even when a >> user's password has expired. The only thing I can say is it tends to >> happen on more heavily loaded servers than lightly loaded ones. And >> perhaps the most important point - the password *IS* changed successfully! >> >> Changing password for user expired-user. >> Current Password: >> New password: >> Retype new password: >> Password change failed. Server message: Current password's minimum life >> has not expired >> >> Password not changed. >> passwd: Authentication token manipulation error >> >> Thoughts? Anything? >> >> ~Janelle >> > What tool is changing the expired password? > > I'd be curious to see the password policy for the user, ipa > pwpolicy-show --user= > > Seeing the krbLastPwdChange and krbPasswordExpiration might be handy too. > > rob And, please accept my apology if that was worded poorly on my reply. Very appreciative for the help, just was trying to steer away from the actual password policy having anything to do with it. As I re-read my reply, I thought it might have sounded rude in the email. Not intended to be that way. ~J From james.masson at jmips.co.uk Mon Sep 28 16:03:31 2015 From: james.masson at jmips.co.uk (James Masson) Date: Mon, 28 Sep 2015 17:03:31 +0100 Subject: [Freeipa-users] Automatic IPA CA cert generation In-Reply-To: <20150924002014.GE16937@dhcp-40-8.bne.redhat.com> References: <56016D95.3080708@jmips.co.uk> <56025025.9080609@redhat.com> <20150923100357.GZ16937@dhcp-40-8.bne.redhat.com> <56027BFB.2050801@jmips.co.uk> <20150924002014.GE16937@dhcp-40-8.bne.redhat.com> Message-ID: <560964D3.9050009@jmips.co.uk> On 24/09/15 01:20, Fraser Tweedale wrote: > On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: >> >> On 23/09/15 11:03, Fraser Tweedale wrote: >>> On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: >>>> On 22/09/15 17:02, James Masson wrote: >>>>> >>>>> Hi, >>>>> >>>>> we're building IPAs in an automated fashion, for environments that get >>>>> created and destroyed a lot. At the moment, the CA certs used inside >>>>> these IPAs are self-signed, as part of the normal "ipa-server-install" >>>>> setup process. >>>>> >>>>> We would like to switch to issuing signed intermediate CA certs to the >>>>> IPAs we deploy. >>>>> >>>>> The documentation lists the two part process necessary for this. First >>>>> "--external-ca" - and then "--external-cert-file" >>>>> >>>>> Are there any ways to skip this, and give the setup process a known >>>>> public/private key+cert up front? I'm hoping to avoid the need to have >>>>> to use/send this automatically generated CSR every time. >>>>> >>>>> thanks >>>>> >>>>> James M >>>>> >>>> >>>> Hello James, >>>> currently it's not possible but making installation with externally signed >>>> CA single step sounds really useful to me. >>>> Currently certmonger is generating the CSR for FreeIPA server in the first >>>> step of installation. Certmonger is also able to send certificate to >>>> external CA for signing. >>>> >>>> I'm not sure if we could combine these two cermonger's abilities right now >>>> but if not it shouldn't be difficult to add functionality to certmonger to >>>> send the CSR to preconfigured CA instead of just storing it in file. >>>> >>>> This would of course require configuring the certmonger with information >>>> about the CA before FreeIPA server installation but it's just one command >>>> (getcert-add-ca). >>>> >>>> Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? >>>> >>> There are two sides to this - one is using Certmonger for automatic >>> signing of intermediate CA certificate to be used by IPA, the other >>> is simply using a CA cert that the administrator already possesses, >>> e.g. in a PKCS #12 file. These should be separate tickets. >>> >>> Cheers, >>> Fraser >>> >>>> -- >>>> David Kupka >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >> >> Done - >> >> https://fedorahosted.org/freeipa/ticket/5317 >> https://fedorahosted.org/freeipa/ticket/5318 >> >> Would it be possible to use Certmonger to help the 2 step process used at >> the moment? >> >> ie. run 'ipa-server-install' the first time - get the CSR >> use local Certmonger to handle the CSR submission to upstream CA >> use the resulting Cert in the second 'ipa-server-install' >> >> Any pointers? >> >> regards >> >> James M >> > I don't see an option for certmonger to use an existing CSR but you > could ask it to create and track a new CSR for the same key. See > getcert-request(1) for full details. > > Cheers, > Fraser > Any hints of how to make a request via Certmonger that would keep IPA happy? Looking at the CSR, the awkward bits are... ### Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign ### I presume this is done with... -U EXTUSAGE set requested extended key usage OID How do I convert the IPA CSR text output for use with Certmonger? thanks James M From rcritten at redhat.com Mon Sep 28 17:56:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2015 13:56:06 -0400 Subject: [Freeipa-users] password resets - errors In-Reply-To: <560944B0.6050509@gmail.com> References: <5607ED70.7070003@gmail.com> <56093C61.7040005@redhat.com> <560944B0.6050509@gmail.com> Message-ID: <56097F36.2040204@redhat.com> Janelle wrote: > On 9/28/15 6:10 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>> and find the issue. Also, there is nothing wrong with the password >>> policies. They are all set to default, and this occurs even when a >>> user's password has expired. The only thing I can say is it tends to >>> happen on more heavily loaded servers than lightly loaded ones. And >>> perhaps the most important point - the password *IS* changed >>> successfully! >>> >>> Changing password for user expired-user. >>> Current Password: >>> New password: >>> Retype new password: >>> Password change failed. Server message: Current password's minimum life >>> has not expired >>> >>> Password not changed. >>> passwd: Authentication token manipulation error >>> >>> Thoughts? Anything? >>> >>> ~Janelle >>> >> What tool is changing the expired password? >> >> I'd be curious to see the password policy for the user, ipa >> pwpolicy-show --user= >> >> Seeing the krbLastPwdChange >> and krbPasswordExpiration might be handy too. >> >> rob > Hi, > > I was hoping it would not go off on this tangent. All users have the > default PW policy -- there are no differences and every single user has > the same problem. Well, I don't see it as a tangent. If the min time is > max time, I don't know how the backend handles that off the top of my head. Something thinks the password isn't old enough yet and that is a calculated value. > The tool is simple "passwd" or, in the case of some users who have > actually hit the 90 expiry, nothing more than a simple login followed by > the system saying your password has expired, please change it. > > The krbLastPwdChange shows the exact day/time of the user changing their > PW, in this case, when this error occurs. The expiration shows 90 days > from that time. If you see the specifics I mentioned, even though the > error is presented, the password is actually changed. Really confused > with this one. And that's why I wanted to see the policy. Too young is defined as cur_time < last password change + min password life. Who knows, maybe it is a units issue. In both the KDC and LDAP code this appears to be a show-stopping error which is why trying to duplicate it using your values would be useful. Knowing the version of IPA would help too. rob From rsvancara at wsu.edu Mon Sep 28 18:03:11 2015 From: rsvancara at wsu.edu (Svancara, Randall) Date: Mon, 28 Sep 2015 18:03:11 +0000 Subject: [Freeipa-users] Setting up Domain Trust with Active Directory w2008R2 In-Reply-To: <20150928065102.GB4539@redhat.com> References: <1F880D7A2494B346B5AB96481EAE704A2406EAD8@EXMB-03.ad.wsu.edu>, <20150928065102.GB4539@redhat.com> Message-ID: <1F880D7A2494B346B5AB96481EAE704A2406F087@EXMB-03.ad.wsu.edu> Thanks! I will wait for 7.2 so I can upgrade to 4.2. I saw this bug too but was not sure if I was impacted or not. Randall ________________________________________ From: Alexander Bokovoy [abokovoy at redhat.com] Sent: Sunday, September 27, 2015 11:51 PM To: Svancara, Randall Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Setting up Domain Trust with Active Directory w2008R2 On Sat, 26 Sep 2015, Svancara, Randall wrote: >Hi, > >Trying to establish a trust relationship between a test domain that I >have configured on windows server 2008r2 with FreeIPA 4.1.2 (Centos 7). > >I have enabled debugging and I attempt to run the following command: > >ipa trust-add --type=ad ad.winblows --admin Administrator --password > >The http error logs emit the following output provided below. Looks >like something connects to the domain controller perforing the CLDAP >query, but then there is a second section that appears to have a >problem with "non-public: KeyError: 'dns_hostname' This looks like https://urldefense.proofpoint.com/v1/url?u=https://fedorahosted.org/freeipa/ticket/4570&k=EWEYHnIvm0nsSxnW5y9VIw%3D%3D%0A&r=1RDUEYXuZAP0Ae4ANF6FktG23%2BRcTcO9hL4BP3fO5x4%3D%0A&m=9cDECQSnm6WYILwNmIM53qxpn14U5N3SCYV%2F2IKGnpw%3D%0A&s=dbfb52a87049cd519a4a5c9c1eed20975793750bdbdd301d77b6dc1bf2f3b303 We fixed it with refactoring of IPA trust-add code in FreeIPA 4.2.1. It is going to come to CentOS 7 eventually once RHEL 7.2 is released (beta is out already). -- / Alexander Bokovoy From simo at redhat.com Mon Sep 28 18:16:21 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 28 Sep 2015 14:16:21 -0400 Subject: [Freeipa-users] password resets - errors In-Reply-To: <5607ED70.7070003@gmail.com> References: <5607ED70.7070003@gmail.com> Message-ID: <560983F5.4030204@redhat.com> On 27/09/15 09:21, Janelle wrote: > Hello, > > I continue to see these a lot, but only on some servers. It causes a lot > of confusions with my users. There must be a way to troubleshoot this > and find the issue. Also, there is nothing wrong with the password > policies. They are all set to default, and this occurs even when a > user's password has expired. The only thing I can say is it tends to > happen on more heavily loaded servers than lightly loaded ones. And > perhaps the most important point - the password *IS* changed successfully! > > Changing password for user expired-user. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life > has not expired > > Password not changed. > passwd: Authentication token manipulation error > > Thoughts? Anything? This may be due to an implementation issue in the client. libkrb5 tends to wait only 1 second for an operation to succeed/fail and will send a new (identical) message if it gets back no answer, this is due to the fact historically KRB5 has used UDP in preference which doesn't guarantee message delivery, so the only option is to retry. However if the first message actually went through and the only problem is that the server was busy and slower a second message will be received and processed just the same, only to find out the password has just been changed and can't be changed again, hence the error message. I guess one way to handle this would be to disable clients from using UDP completely, although I am not 100% certain this will avoid the problem, IIRC at least in some versions the client library would retry after 1 second even on TCP. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Sep 28 18:33:03 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2015 14:33:03 -0400 Subject: [Freeipa-users] password resets - errors In-Reply-To: <560983F5.4030204@redhat.com> References: <5607ED70.7070003@gmail.com> <560983F5.4030204@redhat.com> Message-ID: <560987DF.6070903@redhat.com> Simo Sorce wrote: > On 27/09/15 09:21, Janelle wrote: >> Hello, >> >> I continue to see these a lot, but only on some servers. It causes a lot >> of confusions with my users. There must be a way to troubleshoot this >> and find the issue. Also, there is nothing wrong with the password >> policies. They are all set to default, and this occurs even when a >> user's password has expired. The only thing I can say is it tends to >> happen on more heavily loaded servers than lightly loaded ones. And >> perhaps the most important point - the password *IS* changed >> successfully! >> >> Changing password for user expired-user. >> Current Password: >> New password: >> Retype new password: >> Password change failed. Server message: Current password's minimum life >> has not expired >> >> Password not changed. >> passwd: Authentication token manipulation error >> >> Thoughts? Anything? > > This may be due to an implementation issue in the client. > libkrb5 tends to wait only 1 second for an operation to succeed/fail and > will send a new (identical) message if it gets back no answer, this is > due to the fact historically KRB5 has used UDP in preference which > doesn't guarantee message delivery, so the only option is to retry. > > However if the first message actually went through and the only problem > is that the server was busy and slower a second message will be received > and processed just the same, only to find out the password has just been > changed and can't be changed again, hence the error message. > > I guess one way to handle this would be to disable clients from using > UDP completely, although I am not 100% certain this will avoid the > problem, IIRC at least in some versions the client library would retry > after 1 second even on TCP. > > Simo. > > udp_preference_limit 0 was added to /etc/krb5.conf in 4.2 to prefer TCP for the initial request anyway. According to the man page it will always fall back to UDP upon failure. rob From jpazdziora at redhat.com Tue Sep 29 08:29:10 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 29 Sep 2015 10:29:10 +0200 Subject: [Freeipa-users] otp issue: can't log in with password+otp In-Reply-To: References: Message-ID: <20150929082910.GU2227@redhat.com> On Mon, Sep 21, 2015 at 04:49:42PM -0600, Duncan McNaught wrote: > Dear freeipa-users, > > I'm having an issue with otp in freeipa. I can set up the service as > described in the blog post for TOTP or HOTP, and sync the token fine. > When I try to login to the admin tools or an ipa-managed client (with > ) , I get a password incorrect message. > Here are some more details: > https://github.com/adelton/docker-freeipa/issues/34 For the record, the issue has now been resolved, fixes pushed to the git repo, and new images on Docker hub built. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From sdutina at gmail.com Tue Sep 29 09:35:42 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Tue, 29 Sep 2015 11:35:42 +0200 Subject: [Freeipa-users] FreeIPA with third-party wildcard certificate Message-ID: Hi! I'm testing FreeIPA 4.1.0 on Centos 7 (1503). I have a *wildcard *certificate for my domain issued by GoDaddy. Could I use it with FreeIPA primary and replica servers instead of self-signed certificate? If yes, how could I replace the self-signed certificate in existing two servers installation? Thank you. Srdjan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Tue Sep 29 11:48:14 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Tue, 29 Sep 2015 13:48:14 +0200 Subject: [Freeipa-users] sudo options/sss_cache In-Reply-To: <20150925111248.GM7272@hendrix.redhat.com> References: <20150925080559.GH7272@hendrix.redhat.com> <5605186B.3030303@redhat.com> <20150925111248.GM7272@hendrix.redhat.com> Message-ID: <560A7A7E.70209@redhat.com> On 09/25/2015 01:12 PM, Jakub Hrozek wrote: > On Fri, Sep 25, 2015 at 11:48:27AM +0200, Pavel B?ezina wrote: >> On 09/25/2015 10:06 AM, Jakub Hrozek wrote: >>> On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote: >>>> Hi >>>> >>>> I have 3 problems/questions with ipa and sudo... >>>> >>>> 1. How to make a GLOBAL sudo rule with all the options what I want to >>>> have? (e.g. !authenticate). I have tried to make a sudo rule for all users >>>> on all hosts whom all users but without command and it doesnt work... Do I >>>> need to set it for each rule separately? >>> >>> Pavel (CC) would know this better, in native sudo there is a global >>> entry but I keep forgetting what it is in IPA.. >> >> Hi, please, create a rule named "defaults". >> >> I see this question is returning frequently. I think it should be supported >> directly by user interface. > > +1 care to file a ticket? > > ..and a good candidate for the troubleshooting guide in the works :-) > Hi, I filed a ticket: https://fedorahosted.org/freeipa/ticket/5332 From pbrezina at redhat.com Tue Sep 29 11:49:25 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Tue, 29 Sep 2015 13:49:25 +0200 Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db In-Reply-To: References: Message-ID: <560A7AC5.20607@redhat.com> On 09/15/2015 09:10 AM, Moln?r Domokos wrote: > > "Moln?r Domokos" ?rta: > > On 09/14/2015 03:08 PM, Pavel B?ezina wrote: >> On 09/11/2015 02:40 PM, Moln?r Domokos wrote: >>> Full log attached. >>> "Moln?r Domokos" ?rta: >>> >>> >>> "Pavel B?ezina" ?rta: >>> >>> On 09/09/2015 09:31 PM, Moln?r Domokos wrote: >>> > I have a working IPA server and a working client >>> config on an OpenSuse >>> > 13.2 with the following versions: >>> > nappali:~ # rpm -qa |grep sssd >>> > sssd-tools-1.12.2-3.4.1.i586 >>> > sssd-krb5-1.12.2-3.4.1.i586 >>> > python-sssd-config-1.12.2-3.4.1.i586 >>> > sssd-ipa-1.12.2-3.4.1.i586 >>> > sssd-1.12.2-3.4.1.i586 >>> > sssd-dbus-1.12.2-3.4.1.i586 >>> > sssd-krb5-common-1.12.2-3.4.1.i586 >>> > sssd-ldap-1.12.2-3.4.1.i586 >>> > sssd is confihured for nss, pam, sudo >>> > There is a test sudo rule defined in the ipa server, >>> which applies to >>> > user "doma". However when the user tries to use sudo >>> the rule does not >>> > work. >>> > doma at nappali:/home/doma> sudo ls >>> > doma's password: >>> > doma is not allowed to run sudo on nappali. This >>> incident will be reported. >>> > The corresponding log in the sssd_sudo.log is this: >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_cmd_get_version] (0x0200): >>> > Received client version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_cmd_get_version] (0x0200): >>> > Offered version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting default options for [doma] from >>> [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_user] (0x0200): >>> > Requesting info about [doma at szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>> Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>> Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(name=defaults)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting rules for [doma] from [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_get_user] (0x0200): >>> > Requesting info about [doma at szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>> Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>> Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >>> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] >>> (0x0200): Client >>> > disconnected! >>> > This seems perfectly OK with one exception. The query >>> against the sysdb >>> > does not find the entry. This is strange because the >>> entry is there. >>> > Log in sssd.log: >>> > (Wed Sep 2 08:52:13 2015) [sssd] >>> [sysdb_domain_init_internal] (0x0200): >>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >>> > So we know that the sysdb is >>> /var/lib/sss/db/cache_szilva.ldb >>> > Running the exact same query seen above in the >>> sssd_sudo.log against the >>> > db returns: >>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >>> > >>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >>> > asq: Unable to register control with rootdse! >>> > # record 1 >>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> > cn: Doma_ls >>> > dataExpireTimestamp: 1441830262 >>> > entryUSN: 20521 >>> > name: Doma_ls >>> > objectClass: sudoRule >>> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >>> > sudoCommand: ls >>> > sudoHost: nappali.szilva >>> > sudoRunAsGroup: ALL >>> > sudoRunAsUser: ALL >>> > sudoUser: doma >>> > distinguishedName: >>> name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >>> > # returned 1 records >>> > # 1 entries >>> > # 0 referrals >>> > This confirms that the entry is indeed there in the >>> db. Why is it found >>> > with ldbsearch and why does sssd_sudo not find it? >>> > I am pretty much stuck with this one. Anyone has an idea? >>> > >>> > >>> Hi, >>> this is strange. Can you provide the logs with debug >>> level set to 0x3ff0 >>> >>> please? Can you also send it as an attachment? Thanks! >>> >>> Sure. Here it is. Now I can see that the rule is returned. The >>> question is why the rule does not match. Anyway much better :) >> >> Hi, thanks for the logs. Since the rule is returned, we will get >> more information from sudo logs. Can you please enable sudo >> logging by putting the following line into /etc/sudo.conf? >> >> Debug sudo /var/log/sudo_debug all at trace >> >> Run sudo and send us /var/log/sudo_debug? Thanks > > Thanks for the tip with the proper debug syntax - I was unable to > get a single log item out of sudo before. > > I think I have found something. This is the relevant part of the > output of all at debug (you need this not trace I think): > > Sep 14 22:13:39 sudo[2314] username=doma > Sep 14 22:13:39 sudo[2314] domainname=NULL > Sep 14 22:13:39 sudo[2314] state |= USERMATCH > Sep 14 22:13:39 sudo[2314] Received 1 rule(s) > Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 > Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE > Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 > Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva > Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 > Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 > Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 := > false > Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local > host: false @ addr_matches() ./match_addr.c:217 > Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false > Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 > Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' > Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false > Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 > Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern > nappali.szilva: false @ hostname_matches() ./match.c:788 > Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false > Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not > Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 := > false > Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654 > := 0 > Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 > -> 0) > Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221 > := 0xb7c9e410 > Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => > f_sss_result=(0xb7c9e410, 0) > Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 := > 0xb7c9e410 > Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries > Sep 14 22:13:39 sudo[2314] Done with LDAP searches > > > And here is the code from match.c. > > bool > hostname_matches(const char *shost, const char *lhost, const char > *pattern) > { > debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > const char *host; > bool rc; > > host = strchr(pattern, '.') != NULL ? lhost : shost; > if (has_meta(pattern)) { > rc = !fnmatch(pattern, host, FNM_CASEFOLD); > } else { > rc = !strcasecmp(host, pattern); > } > sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > "host %s matches sudoers pattern %s: %s", > host, pattern, rc ? "true" : "false"); > debug_return_bool(rc); > } > > By the look of it it should match. I tried to find out how shost and > lhost get their values - these are macros to a member of the > sudo_user struct but that part is not debugged. Only thing I can > confirm is that I do not get the > > log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > > from line 816 of sudoers.c. > > I also checked the hosts file and there I do have the > > 192.168.110.3 nappali nappali.szilva > > entry. > > Still stuck whit this. > On 09/14/2015 03:08 PM, Pavel B?ezina wrote: > On 09/11/2015 02:40 PM, Moln?r Domokos wrote: > Full log attached. > "Moln?r Domokos" ?rta: > > > "Pavel B?ezina" ?rta: > > On 09/09/2015 09:31 PM, Moln?r Domokos wrote: > > > I have a working IPA server and a working client config on an OpenSuse > > 13.2 with the following versions: > > nappali:~ # rpm -qa |grep sssd > > sssd-tools-1.12.2-3.4.1.i586 > > sssd-krb5-1.12.2-3.4.1.i586 > > python-sssd-config-1.12.2-3.4.1.i586 > > sssd-ipa-1.12.2-3.4.1.i586 > > sssd-1.12.2-3.4.1.i586 > > sssd-dbus-1.12.2-3.4.1.i586 > > sssd-krb5-common-1.12.2-3.4.1.i586 > > sssd-ldap-1.12.2-3.4.1.i586 > > sssd is confihured for nss, pam, sudo > > > There is a test sudo rule defined in the ipa server, which applies to > > user "doma". > However when the user tries to use sudo the rule does not > > work. > > doma at nappali:/home/doma> sudo ls > > doma's password: > > doma is not allowed to run sudo on nappali. > This incident will be reported. > > The corresponding log in the sssd_sudo.log is this: > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [doma] from [] > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] > > > (0x0200): name 'doma' matched without domain, user is doma > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [doma] from [] > > (Wed Sep > 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [doma at szilva] > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp > > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] > > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] > > (Wed Sep > 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client > > disconnected! > > > This seems perfectly OK with one exception. The query against the sysdb > > > does not find the entry. This is strange because the entry is there. > > Log in sssd.log: > > (Wed Sep > 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): > > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb > > > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb > > > Running the exact same query seen above in the sssd_sudo.log against the > > db returns: > > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb > > > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" > > asq: Unable to register control with rootdse! > > # record 1 > > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > cn: Doma_ls > > dataExpireTimestamp: 1441830262 > > entryUSN: 20521 > > name: Doma_ls > > objectClass: sudoRule > > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva > > sudoCommand: ls > > sudoHost: nappali.szilva > > sudoRunAsGroup: ALL > > sudoRunAsUser: ALL > > sudoUser: doma > > > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb > > # returned 1 records > > # 1 entries > > # 0 referrals > > > This confirms that the entry is indeed there in the db. Why is it found > > with ldbsearch and why does sssd_sudo not find it? > > I am pretty much stuck with this one. Anyone has an idea? > > > > > Hi, > > this is strange. Can you provide the logs with debug level set to 0x3ff0 > > please? Can you also send it as an attachment? Thanks! > > Sure. Here it is. Now I can see that the rule is returned. The > question is why the rule does not match. Anyway much better :) > > Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf? > > Debug sudo /var/log/sudo_debug all at trace > > Run sudo and send us /var/log/sudo_debug? Thanks > > Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before. > > I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think): > > Sep 14 22:13:39 sudo[2314] username=doma > Sep 14 22:13:39 sudo[2314] domainname=NULL > Sep 14 22:13:39 sudo[2314] state |= USERMATCH > Sep 14 22:13:39 sudo[2314] Received 1 rule(s) > Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175 > Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE > Sep 14 22:13:39 sudo[2314] emalloc: cnt=1 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648 > Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556 > Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva > Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206 > Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61 > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217 > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941 > Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+' > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776 > Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788 > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0) > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0) > Sep 14 22:13:39 sudo[2314] > Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries > Sep 14 22:13:39 sudo[2314] Done with LDAP searches > > > And here is the code from match.c. > > bool > hostname_matches(const char *shost, const char *lhost, const char *pattern) > { > debug_decl(hostname_matches, SUDO_DEBUG_MATCH) > const char *host; > bool rc; > > host = strchr(pattern,'.') != NULL ? lhost : shost; > if (has_meta(pattern)) { > rc = !fnmatch(pattern, host, FNM_CASEFOLD); > } else { > rc = !strcasecmp(host, pattern); > } > sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, > "host %s matches sudoers pattern %s: %s", > host, pattern, rc ? "true" : "false"); > debug_return_bool(rc); > } > > By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the > > log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); > > from line 816 of sudoers.c. > > I also checked the hosts file and there I do have the > > 192.168.110.3 nappali nappali.szilva > > entry. > > Still stuck whit this. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > Additional info. In match.c > > 780 host = strchr(pattern, '.') != NULL ? lhost : shost; > > if the pattern contains a '.' then lhost is used, which is then > > 784 rc = !strcasecmp(host, pattern); > > compared with the pattern. In our case - from the debug log - host is > "nappali" while the pattern is "nappali.szilva". > > Clearly from some reason lhost does not contain the fqdn as it should. I > also tested the set_fqdn at line 806 in sudoers.c with this code: > > void > main(void) > { > struct addrinfo *res0, hint; > char *p; > char *user_host, *user_shost; > > user_host=malloc(500); > user_shost=malloc(500); > > memset(&hint, 0, sizeof(hint)); > hint.ai_family = PF_UNSPEC; > hint.ai_flags = AI_FQDN; > if (getaddrinfo("nappali", NULL, &hint, &res0) != 0) { > printf("unable to resolve host %s", user_host); > } else { > user_host = strdup(res0->ai_canonname); > printf ("Canonname, user_host: %s, > %s\n",res0->ai_canonname,user_host); > if ((p = strchr(user_host, '.')) != NULL) > user_shost = strndup(user_host, (size_t)(p - user_host)); > else > user_shost = user_host; > } > printf("Shost: %s\n",user_shost); > } > > This outputs on the host in question: > > doma at nappali:/home/doma> cc test.c > doma at nappali:/home/doma> ./a.out > Canonname, user_host: nappali.szilva, nappali.szilva > Shost: nappali > > Seems OK. > > Any idea? Hi, I'm sorry for a late delay. Did you manage to create any progress on this? From pbrezina at redhat.com Tue Sep 29 11:53:05 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Tue, 29 Sep 2015 13:53:05 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> Message-ID: <560A7BA1.7080706@redhat.com> On 09/21/2015 10:42 PM, Andy Thompson wrote: >> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com] >>>> Sent: Monday, September 21, 2015 3:29 PM >>>> To: Andy Thompson >>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo >>>> >>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: >>>>>> >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: >>>>>>> I've narrowed it down a bit doing some testing. The sudo >>>>>>> rules work when >>>>>> I remove the user group restriction from them. My sudo rules >>>>>> all have my ad groups in the rule >>>>>>> >>>>>>> Rule name: ad_linux_admins >>>>>>> Enabled: TRUE >>>>>>> Host category: all >>>>>>> Command category: all >>>>>>> RunAs User category: all >>>>>>> RunAs Group category: all >>>>>>> User Groups: ad_linux_admins <- if I remove this then the >>>>>>> rule gets >>>>>> applied >>>>>> >>>>>> Nice catch. Is the group visible after you login and run id? >>>>>> >>>>>> What is the exact IPA server version? >>>>> >>>>> Ok I also figured out if I rename my AD groups to match my IPA >>>>> groups then >>>> the sudo rules are applied. >>>>> >>>>> I tested a couple things though, if I put a rule in the local >>>>> sudoers file on a server running sssd 1.11 >>>>> >>>>> %@ "sudo commands" >>>>> >>>>> That rule was not applied. If I remove the then the >>>>> rule got >>>> applied. >>>>> >>>>> On a server running sssd 1.12 that rule works, but does not work >>>>> if I >>>> remove the . And none of the IPA sudo rules work. So >>>> something changed with the domain suffix between versions it would >>>> appear. >>>>> >>>>> They key to making the IPA sudo rules work in 1.12 is to remove >>>>> the >>>> default_domain_suffix setting in the sssd.conf, but that's not an >>>> option in my environment. >>>>> >>>>> So all the moving parts together, it appears that having AD groups >>>>> with a different name than the IPA groups in conjunction with the >>>>> default_domain_suffix setting breaks things right now in 1.12. >>>>> Appears since I renamed the ad group to match then the rule >>>>> without a domain suffix will get matched now >>>> >>>> Hello Andy, >>>> >>>> I'm sorry for the constant delays, but I was busy with some >>>> trust-related fixes lately. >>>> >>>> Did you have a chance to confirm that just swapping sssd /on the >>>> client/ while keeping the same version on the server fixes the issue for >> you? >>>> >>>> Pavel (CC), can you help me out here, please? I have the setup ready >>>> on my machine, so tomorrow we can take a look and experiment (I can >>>> give you access to my environment via tmate maybe..), but I wasn't >>>> able to reproduce the issue locally yet. >>> >>> It's fine I understand the backlog. >>> >>> I was not able to backrev the sssd due to dependency issues. I tried >> downgrading all the dependencies and got in a loop and stopped trying. Are >> there any tricks you can think of to downgrade the sssd cleanly? >>> >>> -andy >>> >> >> What failures are you getting? I normally just download all \*sss\* packages >> and then downgrade with rpm -U --oldpackage. > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If include all the deps it lists > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python-sssdconfig > > I get multilib errors with libsss_idmap. > > Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me look into that and see what repo it sits in and see if I can figure out why it's not pulling in. > > -andy > Hi, since none of us is able to reproduce this in house, can you give us more precise steps how to reproduce and more information? What I have in mind at this moment is: 1) How is membership defined? I suspect it goes as AD-USER -> AD-GROUP -> IPA->GROUP, right? What types of groups are used? 2) sssd.conf might also turn out to be useful 3) Remove SSSD and sudo logs, reproduce and send us all the logs please with the commands to reproduce. Not just snippets. Do you have any test machine we can ssh to? Thank you! From brian.mathis+freeipa at betteradmin.com Tue Sep 29 12:16:24 2015 From: brian.mathis+freeipa at betteradmin.com (Brian Mathis) Date: Tue, 29 Sep 2015 08:16:24 -0400 Subject: [Freeipa-users] FreeIPA with third-party wildcard certificate In-Reply-To: References: Message-ID: No. FreeIPA requires a *CA* certificate, which is a cert that has the ability to sign other certs. Unless you're in a large company with an expensive agreement in place with GoDaddy, that is not a permission they grant to regular certs. A wildcard cert is only allowed to be used on simple things like a web site, and does not have the ability to sign other certs. ~ Brian Mathis @orev On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina wrote: > Hi! > > I'm testing FreeIPA 4.1.0 on Centos 7 (1503). > I have a *wildcard *certificate for my domain issued by GoDaddy. > Could I use it with FreeIPA primary and replica servers instead of > self-signed certificate? > If yes, how could I replace the self-signed certificate in existing two > servers installation? > > Thank you. > > Srdjan. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Sep 29 13:28:18 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 29 Sep 2015 06:28:18 -0700 Subject: [Freeipa-users] password resets - errors In-Reply-To: <560987DF.6070903@redhat.com> References: <5607ED70.7070003@gmail.com> <560983F5.4030204@redhat.com> <560987DF.6070903@redhat.com> Message-ID: <560A91F2.7050301@gmail.com> On 9/28/15 11:33 AM, Rob Crittenden wrote: > Simo Sorce wrote: >> On 27/09/15 09:21, Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>> and find the issue. Also, there is nothing wrong with the password >>> policies. They are all set to default, and this occurs even when a >>> user's password has expired. The only thing I can say is it tends to >>> happen on more heavily loaded servers than lightly loaded ones. And >>> perhaps the most important point - the password *IS* changed >>> successfully! >>> >>> Changing password for user expired-user. >>> Current Password: >>> New password: >>> Retype new password: >>> Password change failed. Server message: Current password's minimum life >>> has not expired >>> >>> Password not changed. >>> passwd: Authentication token manipulation error >>> >>> Thoughts? Anything? >> This may be due to an implementation issue in the client. >> libkrb5 tends to wait only 1 second for an operation to succeed/fail and >> will send a new (identical) message if it gets back no answer, this is >> due to the fact historically KRB5 has used UDP in preference which >> doesn't guarantee message delivery, so the only option is to retry. >> >> However if the first message actually went through and the only problem >> is that the server was busy and slower a second message will be received >> and processed just the same, only to find out the password has just been >> changed and can't be changed again, hence the error message. >> >> I guess one way to handle this would be to disable clients from using >> UDP completely, although I am not 100% certain this will avoid the >> problem, IIRC at least in some versions the client library would retry >> after 1 second even on TCP. >> >> Simo. >> >> > udp_preference_limit 0 was added to /etc/krb5.conf in 4.2 to prefer TCP > for the initial request anyway. According to the man page it will always > fall back to UDP upon failure. > > rob > This value appears to be set in 4.1.x as well, at least it is on my configurations. Policy is set: Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 and this is true for ALL users. I will try disabling UDP completely. ~J From rcritten at redhat.com Tue Sep 29 14:18:00 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Sep 2015 10:18:00 -0400 Subject: [Freeipa-users] FreeIPA with third-party wildcard certificate In-Reply-To: References: Message-ID: <560A9D98.1060401@redhat.com> Brian Mathis wrote: > No. FreeIPA requires a *CA* certificate, which is a cert that has the > ability to sign other certs. Unless you're in a large company with an > expensive agreement in place with GoDaddy, that is not a permission they > grant to regular certs. A wildcard cert is only allowed to be used on > simple things like a web site, and does not have the ability to sign > other certs. You can replace the web and/or LDAP certificates with a 3rd party cert, see http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP There be dragons (and countless corner cases). rob > > > ~ Brian Mathis > @orev > > > On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina > wrote: > > Hi! > > I'm testing FreeIPA 4.1.0 on Centos 7 (1503). > I have a *wildcard *certificate for my domain issued by GoDaddy. > Could I use it with FreeIPA primary and replica servers instead of > self-signed certificate? > If yes, how could I replace the self-signed certificate in existing > two servers installation? > > Thank you. > > Srdjan. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From tekturk at gmail.com Tue Sep 29 15:26:16 2015 From: tekturk at gmail.com (Sadettin Albasan) Date: Tue, 29 Sep 2015 10:26:16 -0500 Subject: [Freeipa-users] NFS Automount Domain Homedirs Message-ID: I have a freeipa server and a trust relation with AD domain with almost everything working the way I planned except automounting NFS home directories for domain users. I have been reading about this on the net for almost a week, ended up trying a lot of different configurations, but I had no success to it. The closest I came to was removing krb5 authentication from the export and mount options. it is only then able to mount the directories. Since I have not seen any official guidelines about it, is this in works or any plan to implement? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Sep 29 15:47:54 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 29 Sep 2015 18:47:54 +0300 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: References: Message-ID: <20150929154754.GE4539@redhat.com> On Tue, 29 Sep 2015, Sadettin Albasan wrote: >I have a freeipa server and a trust relation with AD domain with almost >everything working the way I planned except automounting NFS home >directories for domain users. I have been reading about this on the net for >almost a week, ended up trying a lot of different configurations, but I had >no success to it. The closest I came to was removing krb5 authentication >from the export and mount options. it is only then able to mount the >directories. Since I have not seen any official guidelines about it, is >this in works or any plan to implement? Thanks. As usual, more details are required about server and client configuration/software in order to even guess your problems. What provides NFS storage? What is used on the client machines? How identity mapping is configured. Give examples of your configuration. There are some issues in NFS identity mapping code that were fixed relatively recently and which prevented use of POSIX users with '@' in the name, for example. -- / Alexander Bokovoy From christoph.kaminski at biotronik.com Tue Sep 29 19:14:41 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Tue, 29 Sep 2015 21:14:41 +0200 Subject: [Freeipa-users] Antwort: Re: sudo options/sss_cache In-Reply-To: <560A7A7E.70209@redhat.com> References: <20150925080559.GH7272@hendrix.redhat.com> <5605186B.3030303@redhat.com> <20150925111248.GM7272@hendrix.redhat.com> <560A7A7E.70209@redhat.com> Message-ID: oh thx! it would be really nice to have it... Greetz Christoph Kaminski Pavel B?ezina schrieb am 29.09.2015 13:48:14: > > Hi, I filed a ticket: > https://fedorahosted.org/freeipa/ticket/5332 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tk at mdevsys.com Wed Sep 30 01:40:03 2015 From: tk at mdevsys.com (TomK) Date: Tue, 29 Sep 2015 21:40:03 -0400 Subject: [Freeipa-users] HBAC In-Reply-To: <560B3A68.7020401@mdevsys.com> References: <560B3A68.7020401@mdevsys.com> Message-ID: <560B3D73.9050704@mdevsys.com> Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post a ticket to RH Support for an RFE, I'll post the request here to get some feedback on options and what ideas folks have. I've a situation as follows. I have the following setup in WS 2012 AD DC: TomK (user) TomK Groups: unixg windowsg unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04' windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09' TomK(user) also has the 'host' attribute defined as per the proper RFC for LDAP. With SSSD rules I can define the rules to read the user 'host' attribute but not the group 'host' attribute: |access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host| Essentially TomK to be given access to hosts listed in the 'host' attribute but denied entry into lab05 for example (not listed in any group 'host' attribute above) to the server. If I have a new user that has joined that particular team at our organization, I can simply add her/him to the above groups and this user would get access only to the listed servers in 'host' attribute by default. I don't need to specify new groups in customized sssd.conf or ldap.conf files or in sshd config files. Hence less to update with Salt or any other CM suite. I've managed to setup SUDO rules and with the openssh-ldap.diff schema SSH public keys could be stored in AD as well and be read by OpenSSH. So aside from the HBAC capability on groups, virtually all our needs are handled by the WS2012 AD DC as it has to follow the OpenLDAP standard anyway. Now to get this we considered and are still considering FreeIPA. However this idea poses a set of challenges: 1) In large organizations where the AD support department are only trained in Windows AD setup and configuration (Only windows guy's) this would require a minimal of 3 bodies to support that know LDAP/Linux. This is a large cost. 2) The additional server requires the same hardening as the Windows AD DC servers meaning a new procedure has to be carved out for the 2+ FreeIPA servers to be supported, hardened and maintained (upgraded). Now I probably sound somewhat anti-FreeIPA, however the challenges of implementing it in large organizations surface after some deliberation, so probably better to list then as it may help direct development of the product to contend with the challenges (Like having a document fully dedicated to hardening a FreeIPA server with selinux and other technologies in easy to maintain configuration). I could be mistaken but some folks mention that it's 'better' to implement this sort of HBAC through other means (?? iptables ??) but never tried the alternatives yet. So, cutting to the end, would it be possible to add an attribute like: |ldap_user_authorized_host| but perhaps called 'ldap_group_authorized_host' to the SSSD code to enable reading the 'host' attribute on AD/LDAP defined groups? Cheers, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 30 05:50:47 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 30 Sep 2015 08:50:47 +0300 Subject: [Freeipa-users] HBAC In-Reply-To: <560B3D73.9050704@mdevsys.com> References: <560B3A68.7020401@mdevsys.com> <560B3D73.9050704@mdevsys.com> Message-ID: <20150930055047.GG4539@redhat.com> On Tue, 29 Sep 2015, TomK wrote: >Hey Guy's, > >(Sending this again as I didn't have this email included in the >freeipa-users mailing list so not sure if the other message will get >posted.) > >Before I post a ticket to RH Support for an RFE, I'll post the request >here to get some feedback on options and what ideas folks have. I've >a situation as follows. I have the following setup in WS 2012 AD DC: > >TomK (user) >TomK Groups: > unixg > windowsg > >unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04' >windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09' > >TomK(user) also has the 'host' attribute defined as per the proper RFC >for LDAP. With SSSD rules I can define the rules to read the user >'host' attribute but not the group 'host' attribute: > > >|access_provider = ldap ldap_access_order = host >ldap_user_authorized_host = host| > > >Essentially TomK to be given access to hosts listed in the 'host' >attribute but denied entry into lab05 for example (not listed in any >group 'host' attribute above) to the server. If I have a new user >that has joined that particular team at our organization, I can simply >add her/him to the above groups and this user would get access only to >the listed servers in 'host' attribute by default. I don't need to >specify new groups in customized sssd.conf or ldap.conf files or in >sshd config files. Hence less to update with Salt or any other CM >suite. I've managed to setup SUDO rules and with the >openssh-ldap.diff schema SSH public keys could be stored in AD as well >and be read by OpenSSH. So aside from the HBAC capability on groups, >virtually all our needs are handled by the WS2012 AD DC as it has to >follow the OpenLDAP standard anyway. Now to get this we considered >and are still considering FreeIPA. However this idea poses a set of >challenges: > >1) In large organizations where the AD support department are only >trained in Windows AD setup and configuration (Only windows guy's) >this would require a minimal of 3 bodies to support that know >LDAP/Linux. This is a large cost. > >2) The additional server requires the same hardening as the Windows AD >DC servers meaning a new procedure has to be carved out for the 2+ >FreeIPA servers to be supported, hardened and maintained (upgraded). > >Now I probably sound somewhat anti-FreeIPA, however the challenges of >implementing it in large organizations surface after some >deliberation, so probably better to list then as it may help direct >development of the product to contend with the challenges (Like having >a document fully dedicated to hardening a FreeIPA server with selinux >and other technologies in easy to maintain configuration). I could >be mistaken but some folks mention that it's 'better' to implement >this sort of HBAC through other means (?? iptables ??) but never tried >the alternatives yet. > >So, cutting to the end, would it be possible to add an attribute like: > >|ldap_user_authorized_host| > >but perhaps called 'ldap_group_authorized_host' to the SSSD code to >enable reading the 'host' attribute on AD/LDAP defined groups? In FreeIPA we support HBAC rules for AD users and groups. What exactly is wrong with that? See 'ipa help trust' for details how to map AD groups to IPA groups and then 'ipa help hbacrule' for how to limit access of those groups to specific hosts and services on them. This is all covered well in the guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html -- / Alexander Bokovoy From alex.williams at brighter-technology.com Wed Sep 30 09:25:05 2015 From: alex.williams at brighter-technology.com (Alex Williams) Date: Wed, 30 Sep 2015 10:25:05 +0100 Subject: [Freeipa-users] Weird error when attempting to create a new 3.0.0 replica with CA - Could really use some help Message-ID: <560BAA71.1090704@brighter-technology.com> Hi guys, I'm new to the list and I've got a really strange error when trying to create a new 3.0.0 replica of our existing 3.0.0 servers, with CA. I can create a replica without the CA, but once this replica is created, I need to disconnect it, upgrade the schema and hang a 4.0.0 server off of it to upgrade our entire deployment to ipa v4. Rather than clutter up the list with code, I've created a pastebin with the output I'm getting and any help, would be very much appreciated. I've been at this for a couple of days now with various issues and this particular one has me stumped. Environment: RHEL6.6, IPA3.0.0 http://pastebin.com/zZRC6i0X Thanks in advance for any help you can offer Alex From mkosek at redhat.com Wed Sep 30 11:57:27 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Sep 2015 13:57:27 +0200 Subject: [Freeipa-users] What todo when a company/domain name should be changed ? In-Reply-To: References: Message-ID: <560BCE27.7090805@redhat.com> On 09/27/2015 01:34 PM, Matt . wrote: > Hi All, > > I'm investigating what the possibillities are when you have a existing > domain/realm and the company name is changed, so the domain should be > also. I came on this idea because of I wanted to know how flexible the > integration is here. > > As we use in my opinion a very simple and dumb node setup, we are very > able to move around as we want, but how is this done at other > companies ? > > To start with DNS I would setup a new IPA server with the new domain > and forward this domain from te old ipa server and start moving over > servers and create a new hostkey for them. As loadbalancers are in > place in lost of setups this very easy todo witout downtime. > > I'm more wondered about how the users and their related groups an be > moved over, or would this be done using migrate-ds or something ? As > the domain changes, so the dc= string too... the reference of the > groups is missing. > > I hope someone can make this more clear as I think this is good > knowledge to have upfront anything and any case. > > Thanks! > > matt Good question. From technical point of view, I think the biggest issue may be Kerberos principals/realm and Certificates subject/issuer as both are not that easy to change. CCing Simo in case he has a good idea how to do that. I assume there are 2 ways how to approach the problem: 1) Keep using old realm and main domain and simply add aliases where needed, use the new DNS domain with old realm or old Certificate subject base 2) Start new FreeIPA with fixed Kerberos realm and CA - this is a clean start though rather brutal one. We have plans to provide some tooling to help, as for now there is only the possibility to migrate the users: http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656, so some updates may happen. From mkosek at redhat.com Wed Sep 30 12:07:19 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Sep 2015 14:07:19 +0200 Subject: [Freeipa-users] FreeIPA with third-party wildcard certificate In-Reply-To: References: Message-ID: <560BD077.3050504@redhat.com> FreeIPA allows running with CA-less mode, where there is no CA and FreeIPA simply users the offered CA/LDAP certificates: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure Some information is also here: http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html Martin On 09/29/2015 02:16 PM, Brian Mathis wrote: > No. FreeIPA requires a *CA* certificate, which is a cert that has the > ability to sign other certs. Unless you're in a large company with an > expensive agreement in place with GoDaddy, that is not a permission they > grant to regular certs. A wildcard cert is only allowed to be used on > simple things like a web site, and does not have the ability to sign other > certs. > > > ~ Brian Mathis > @orev > > > On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina wrote: > >> Hi! >> >> I'm testing FreeIPA 4.1.0 on Centos 7 (1503). >> I have a *wildcard *certificate for my domain issued by GoDaddy. >> Could I use it with FreeIPA primary and replica servers instead of >> self-signed certificate? >> If yes, how could I replace the self-signed certificate in existing two >> servers installation? >> >> Thank you. >> >> Srdjan. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > From mkosek at redhat.com Wed Sep 30 12:12:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Sep 2015 14:12:00 +0200 Subject: [Freeipa-users] HBAC In-Reply-To: <20150930055047.GG4539@redhat.com> References: <560B3A68.7020401@mdevsys.com> <560B3D73.9050704@mdevsys.com> <20150930055047.GG4539@redhat.com> Message-ID: <560BD190.7050401@redhat.com> On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, TomK wrote: >> Hey Guy's, >> >> (Sending this again as I didn't have this email included in the freeipa-users >> mailing list so not sure if the other message will get posted.) >> >> Before I post a ticket to RH Support for an RFE, I'll post the request here >> to get some feedback on options and what ideas folks have. I've a situation >> as follows. I have the following setup in WS 2012 AD DC: >> >> TomK (user) >> TomK Groups: >> unixg >> windowsg >> >> unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04' >> windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09' >> >> TomK(user) also has the 'host' attribute defined as per the proper RFC for >> LDAP. With SSSD rules I can define the rules to read the user 'host' >> attribute but not the group 'host' attribute: >> >> >> |access_provider = ldap ldap_access_order = host ldap_user_authorized_host = >> host| >> >> >> Essentially TomK to be given access to hosts listed in the 'host' attribute >> but denied entry into lab05 for example (not listed in any group 'host' >> attribute above) to the server. If I have a new user that has joined that >> particular team at our organization, I can simply add her/him to the above >> groups and this user would get access only to the listed servers in 'host' >> attribute by default. I don't need to specify new groups in customized >> sssd.conf or ldap.conf files or in sshd config files. Hence less to update >> with Salt or any other CM suite. I've managed to setup SUDO rules and with >> the openssh-ldap.diff schema SSH public keys could be stored in AD as well >> and be read by OpenSSH. So aside from the HBAC capability on groups, >> virtually all our needs are handled by the WS2012 AD DC as it has to follow >> the OpenLDAP standard anyway. Now to get this we considered and are still >> considering FreeIPA. However this idea poses a set of challenges: >> >> 1) In large organizations where the AD support department are only trained in >> Windows AD setup and configuration (Only windows guy's) this would require a >> minimal of 3 bodies to support that know LDAP/Linux. This is a large cost. >> >> 2) The additional server requires the same hardening as the Windows AD DC >> servers meaning a new procedure has to be carved out for the 2+ FreeIPA >> servers to be supported, hardened and maintained (upgraded). >> >> Now I probably sound somewhat anti-FreeIPA, however the challenges of >> implementing it in large organizations surface after some deliberation, so >> probably better to list then as it may help direct development of the product >> to contend with the challenges (Like having a document fully dedicated to >> hardening a FreeIPA server with selinux and other technologies in easy to >> maintain configuration). I could be mistaken but some folks mention that >> it's 'better' to implement this sort of HBAC through other means (?? iptables >> ??) but never tried the alternatives yet. >> >> So, cutting to the end, would it be possible to add an attribute like: >> >> |ldap_user_authorized_host| >> >> but perhaps called 'ldap_group_authorized_host' to the SSSD code to enable >> reading the 'host' attribute on AD/LDAP defined groups? > In FreeIPA we support HBAC rules for AD users and groups. What exactly > is wrong with that? > > See 'ipa help trust' for details how to map AD groups to IPA groups and > then 'ipa help hbacrule' for how to limit access of those groups to > specific hosts and services on them. > > This is all covered well in the guide: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html More reading on External groups used for AD access control: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups I would also suggest a video with HBAC and Trust in action: https://www.youtube.com/watch?v=sQnNFJOzwa8 HTH, Martin From pspacek at redhat.com Wed Sep 30 12:18:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 30 Sep 2015 14:18:18 +0200 Subject: [Freeipa-users] System for Cross-domain Identity Management (SCIM) support? In-Reply-To: <560A3503.2030305@redhat.com> References: <560A3503.2030305@redhat.com> Message-ID: <560BD30A.10301@redhat.com> Dear users, we have few questions for you: 1) Would you like to see support for SCIM protocol in FreeIPA? 2) What are your use-cases? Further reading: * Presentations about SCIM from LDAPCon: http://lanyrd.com/2013/ldapcon/ * Quote from RFC 7642: 1. Introduction [...] Unlike the practice of some protocols like Application Bridging for Federated Access Beyond web (ABFAB) and SAML2 WebSSO, SCIM provides provisioning and de-provisioning of resources in a separate context from authentication (aka just-in-time provisioning). [...] 2. SCIM User Scenarios 2.1. Background and Context The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. The intent of the SCIM specification is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud. Links: * http://tools.ietf.org/html/rfc7642 * http://tools.ietf.org/html/rfc7643 * http://tools.ietf.org/html/rfc7644 Petr^2 Spacek -------- Forwarded Message -------- Subject: [rfc-dist] RFC 7642 on System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements Date: Fri, 25 Sep 2015 16:34:54 -0700 (PDT) From: rfc-editor at rfc-editor.org To: ietf-announce at ietf.org, rfc-dist at rfc-editor.org CC: drafts-update-ref at iana.org, scim at ietf.org, rfc-editor at rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 7642 Title: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements Author: K. LI, Ed., P. Hunt, B. Khasnabish, A. Nadalin, Z. Zeltsan Status: Informational Stream: IETF Date: September 2015 Mailbox: kepeng.lkp at alibaba-inc.com, phil.hunt at oracle.com, vumip1 at gmail.com, tonynad at microsoft.com, zachary.zeltsan at gmail.com Pages: 19 Characters: 38759 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-scim-use-cases-08.txt URL: https://www.rfc-editor.org/info/rfc7642 DOI: http://dx.doi.org/10.17487/RFC7642 This document provides definitions and an overview of the System for Cross-domain Identity Management (SCIM). It lays out the system's concepts, models, and flows, and it includes user scenarios, use cases, and requirements. This document is a product of the System for Cross-domain Identity Management Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor at rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team From Andy.Thompson at e-tcc.com Wed Sep 30 12:17:22 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 30 Sep 2015 12:17:22 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <560A7BA1.7080706@redhat.com> References: <0c3cfc56668f4cabab8ace55604099a3@TCCCORPEXCH02.TCC.local> <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <560A7BA1.7080706@redhat.com> Message-ID: <3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local> > On 09/21/2015 10:42 PM, Andy Thompson wrote: > >> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > >>>> -----Original Message----- > >>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com] > >>>> Sent: Monday, September 21, 2015 3:29 PM > >>>> To: Andy Thompson > >>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > >>>> > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > >>>>>> > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > >>>>>>> I've narrowed it down a bit doing some testing. The sudo rules > >>>>>>> work when > >>>>>> I remove the user group restriction from them. My sudo rules all > >>>>>> have my ad groups in the rule > >>>>>>> > >>>>>>> Rule name: ad_linux_admins > >>>>>>> Enabled: TRUE > >>>>>>> Host category: all > >>>>>>> Command category: all > >>>>>>> RunAs User category: all > >>>>>>> RunAs Group category: all > >>>>>>> User Groups: ad_linux_admins <- if I remove this then the > >>>>>>> rule gets > >>>>>> applied > >>>>>> > >>>>>> Nice catch. Is the group visible after you login and run id? > >>>>>> > >>>>>> What is the exact IPA server version? > >>>>> > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > >>>>> groups then > >>>> the sudo rules are applied. > >>>>> > >>>>> I tested a couple things though, if I put a rule in the local > >>>>> sudoers file on a server running sssd 1.11 > >>>>> > >>>>> %@ "sudo commands" > >>>>> > >>>>> That rule was not applied. If I remove the then the > >>>>> rule got > >>>> applied. > >>>>> > >>>>> On a server running sssd 1.12 that rule works, but does not work > >>>>> if I > >>>> remove the . And none of the IPA sudo rules work. So > >>>> something changed with the domain suffix between versions it would > >>>> appear. > >>>>> > >>>>> They key to making the IPA sudo rules work in 1.12 is to remove > >>>>> the > >>>> default_domain_suffix setting in the sssd.conf, but that's not an > >>>> option in my environment. > >>>>> > >>>>> So all the moving parts together, it appears that having AD groups > >>>>> with a different name than the IPA groups in conjunction with the > >>>>> default_domain_suffix setting breaks things right now in 1.12. > >>>>> Appears since I renamed the ad group to match then the rule > >>>>> without a domain suffix will get matched now > >>>> > >>>> Hello Andy, > >>>> > >>>> I'm sorry for the constant delays, but I was busy with some > >>>> trust-related fixes lately. > >>>> > >>>> Did you have a chance to confirm that just swapping sssd /on the > >>>> client/ while keeping the same version on the server fixes the > >>>> issue for > >> you? > >>>> > >>>> Pavel (CC), can you help me out here, please? I have the setup > >>>> ready on my machine, so tomorrow we can take a look and experiment > >>>> (I can give you access to my environment via tmate maybe..), but I > >>>> wasn't able to reproduce the issue locally yet. > >>> > >>> It's fine I understand the backlog. > >>> > >>> I was not able to backrev the sssd due to dependency issues. I > >>> tried > >> downgrading all the dependencies and got in a loop and stopped > >> trying. Are there any tricks you can think of to downgrade the sssd > cleanly? > >>> > >>> -andy > >>> > >> > >> What failures are you getting? I normally just download all \*sss\* > >> packages and then downgrade with rpm -U --oldpackage. > > > > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton of > > deps. If include all the deps it lists > > > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 > > sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python > > python-sssdconfig > > > > I get multilib errors with libsss_idmap. > > > > Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me > look into that and see what repo it sits in and see if I can figure out why it's > not pulling in. > > > > -andy > > > > Hi, since none of us is able to reproduce this in house, can you give us more > precise steps how to reproduce and more information? What I have in mind > at this moment is: > > 1) How is membership defined? I suspect it goes as AD-USER -> AD-GROUP > -> IPA->GROUP, right? What types of groups are used? > I have AD user->AD group->external IPA group->IPA group > 2) sssd.conf might also turn out to be useful > > 3) Remove SSSD and sudo logs, reproduce and send us all the logs please > with the commands to reproduce. Not just snippets. > I can gather this up and get it over to you. Actually I just realized I have two other environments and this is working without issue in those environments. I haven't done a full sudo rollout in those environments yet so I didn't think to check those, but the admins rule is working correctly and I haven't renamed any ad groups to match my IPA groups. Could it be something in a sudo rule or something in AD that's interfering with this working correctly? -andy From jhrozek at redhat.com Wed Sep 30 12:42:19 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 30 Sep 2015 14:42:19 +0200 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local> References: <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <560A7BA1.7080706@redhat.com> <3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local> Message-ID: <20150930124219.GT15644@hendrix.arn.redhat.com> On Wed, Sep 30, 2015 at 12:17:22PM +0000, Andy Thompson wrote: > > On 09/21/2015 10:42 PM, Andy Thompson wrote: > > >> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > > >>>> -----Original Message----- > > >>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com] > > >>>> Sent: Monday, September 21, 2015 3:29 PM > > >>>> To: Andy Thompson > > >>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com > > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > >>>> > > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > >>>>>> > > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > >>>>>>> I've narrowed it down a bit doing some testing. The sudo rules > > >>>>>>> work when > > >>>>>> I remove the user group restriction from them. My sudo rules all > > >>>>>> have my ad groups in the rule > > >>>>>>> > > >>>>>>> Rule name: ad_linux_admins > > >>>>>>> Enabled: TRUE > > >>>>>>> Host category: all > > >>>>>>> Command category: all > > >>>>>>> RunAs User category: all > > >>>>>>> RunAs Group category: all > > >>>>>>> User Groups: ad_linux_admins <- if I remove this then the > > >>>>>>> rule gets > > >>>>>> applied > > >>>>>> > > >>>>>> Nice catch. Is the group visible after you login and run id? > > >>>>>> > > >>>>>> What is the exact IPA server version? > > >>>>> > > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > > >>>>> groups then > > >>>> the sudo rules are applied. > > >>>>> > > >>>>> I tested a couple things though, if I put a rule in the local > > >>>>> sudoers file on a server running sssd 1.11 > > >>>>> > > >>>>> %@ "sudo commands" > > >>>>> > > >>>>> That rule was not applied. If I remove the then the > > >>>>> rule got > > >>>> applied. > > >>>>> > > >>>>> On a server running sssd 1.12 that rule works, but does not work > > >>>>> if I > > >>>> remove the . And none of the IPA sudo rules work. So > > >>>> something changed with the domain suffix between versions it would > > >>>> appear. > > >>>>> > > >>>>> They key to making the IPA sudo rules work in 1.12 is to remove > > >>>>> the > > >>>> default_domain_suffix setting in the sssd.conf, but that's not an > > >>>> option in my environment. > > >>>>> > > >>>>> So all the moving parts together, it appears that having AD groups > > >>>>> with a different name than the IPA groups in conjunction with the > > >>>>> default_domain_suffix setting breaks things right now in 1.12. > > >>>>> Appears since I renamed the ad group to match then the rule > > >>>>> without a domain suffix will get matched now > > >>>> > > >>>> Hello Andy, > > >>>> > > >>>> I'm sorry for the constant delays, but I was busy with some > > >>>> trust-related fixes lately. > > >>>> > > >>>> Did you have a chance to confirm that just swapping sssd /on the > > >>>> client/ while keeping the same version on the server fixes the > > >>>> issue for > > >> you? > > >>>> > > >>>> Pavel (CC), can you help me out here, please? I have the setup > > >>>> ready on my machine, so tomorrow we can take a look and experiment > > >>>> (I can give you access to my environment via tmate maybe..), but I > > >>>> wasn't able to reproduce the issue locally yet. > > >>> > > >>> It's fine I understand the backlog. > > >>> > > >>> I was not able to backrev the sssd due to dependency issues. I > > >>> tried > > >> downgrading all the dependencies and got in a loop and stopped > > >> trying. Are there any tricks you can think of to downgrade the sssd > > cleanly? > > >>> > > >>> -andy > > >>> > > >> > > >> What failures are you getting? I normally just download all \*sss\* > > >> packages and then downgrade with rpm -U --oldpackage. > > > > > > > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton of > > > deps. If include all the deps it lists > > > > > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 > > > sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python > > > python-sssdconfig > > > > > > I get multilib errors with libsss_idmap. > > > > > > Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me > > look into that and see what repo it sits in and see if I can figure out why it's > > not pulling in. > > > > > > -andy > > > > > > > Hi, since none of us is able to reproduce this in house, can you give us more > > precise steps how to reproduce and more information? What I have in mind > > at this moment is: > > > > 1) How is membership defined? I suspect it goes as AD-USER -> AD-GROUP > > -> IPA->GROUP, right? What types of groups are used? > > > > I have AD user->AD group->external IPA group->IPA group > > > 2) sssd.conf might also turn out to be useful > > > > 3) Remove SSSD and sudo logs, reproduce and send us all the logs please > > with the commands to reproduce. Not just snippets. > > > > I can gather this up and get it over to you. > > Actually I just realized I have two other environments and this is working without issue in those environments. I haven't done a full sudo rollout in those environments yet so I didn't think to check those, but the admins rule is working correctly and I haven't renamed any ad groups to match my IPA groups. > > Could it be something in a sudo rule or something in AD that's interfering with this working correctly? I would first try to find the difference in the environment. Are sssd versions the same on the clients and servers? Are sudo versions the same? ...etc. Pavel has a sudo troubleshooting guide in the works, maybe it would help.. From ssorce at redhat.com Wed Sep 30 13:30:52 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 30 Sep 2015 09:30:52 -0400 Subject: [Freeipa-users] What todo when a company/domain name should be changed ? In-Reply-To: <560BCE27.7090805@redhat.com> References: <560BCE27.7090805@redhat.com> Message-ID: <560BE40C.5000101@redhat.com> On 30/09/15 07:57, Martin Kosek wrote: > On 09/27/2015 01:34 PM, Matt . wrote: >> Hi All, >> >> I'm investigating what the possibillities are when you have a existing >> domain/realm and the company name is changed, so the domain should be >> also. I came on this idea because of I wanted to know how flexible the >> integration is here. >> >> As we use in my opinion a very simple and dumb node setup, we are very >> able to move around as we want, but how is this done at other >> companies ? >> >> To start with DNS I would setup a new IPA server with the new domain >> and forward this domain from te old ipa server and start moving over >> servers and create a new hostkey for them. As loadbalancers are in >> place in lost of setups this very easy todo witout downtime. >> >> I'm more wondered about how the users and their related groups an be >> moved over, or would this be done using migrate-ds or something ? As >> the domain changes, so the dc= string too... the reference of the >> groups is missing. >> >> I hope someone can make this more clear as I think this is good >> knowledge to have upfront anything and any case. >> >> Thanks! >> >> matt > > Good question. From technical point of view, I think the biggest issue may be > Kerberos principals/realm and Certificates subject/issuer as both are not that > easy to change. CCing Simo in case he has a good idea how to do that. We can't rename a domain, but you can move all servers to a different DNS domain. > I assume there are 2 ways how to approach the problem: > 1) Keep using old realm and main domain and simply add aliases where needed, > use the new DNS domain with old realm or old Certificate subject base > > 2) Start new FreeIPA with fixed Kerberos realm and CA - this is a clean start > though rather brutal one. We have plans to provide some tooling to help, as for > now there is only the possibility to migrate the users: My suggestion would be to go with 1 and/or wait for trust support in IPA, at that point migration from one domain to another will be much easier as it will be possible to do it one machine/user at a time (caveat, 2 distinct FreeIPA realms will probably not be able to share the same DNS namespace). HTH, Simo. > http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA > > Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656, > so some updates may happen. > -- Simo Sorce * Red Hat, Inc * New York From tekturk at gmail.com Wed Sep 30 13:47:56 2015 From: tekturk at gmail.com (Sadettin Albasan) Date: Wed, 30 Sep 2015 08:47:56 -0500 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: <20150929154754.GE4539@redhat.com> References: <20150929154754.GE4539@redhat.com> Message-ID: Hi Alexander, Currently; FreeIPA 7.1 (Centos) Client 6.6 (Centos) NFS 6.6 (Centos) + Samba 3.6 I have also samba file sharing running on NFS server which shares home directories to windows users as well. So NFS server is joined to windows domain as well as FreeIPA domain. *FreeIPA Server Automount Conf:* /etc/auto.master: /- /etc/auto.direct /home /etc/auto.home --------------------------- /etc/auto.direct: --------------------------- /etc/auto.home: * -rw,no_subtree_check,crossmnt,sec=krb5i itifs01.itiad.my.ca: /samba/homes/& maps not connected to /etc/auto.master: *NFS Server Krb5.conf:* includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FREEIPA.MY.CA dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] FREEIPA.MY.CA = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .FREEIPA.MY.CA = FREEIPA.MY.CA FREEIPA.MY.CA = FREEIPA.MY.CA .itiad.my.ca = FREEIPA.MY.CA itiad.my.ca = FREEIPA.MY.CA *NFS Server sssd.conf:* cache_credentials = True krb5_store_password_if_offline = True ipa_domain = FREEIPA.my.CA id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = itifs01.itiad.my.ca chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, server.freeipa.my.ca dns_discovery_domain = FREEIPA.my.CA [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = FREEIPA.MY.CA [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] *Client Krb5.conf:* includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FREEIPA.MY.CA dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] FREEIPA.MY.CA = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.my.ca = FREEIPA.MY.CA freeipa.my.ca = FREEIPA.MY.CA *Client SSSD.conf:* cache_credentials = True krb5_store_password_if_offline = True ipa_domain = freeipa.my.ca id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client2.freeipa.my.ca chpass_provider = ipa ipa_server = _srv_, server.freeipa.my.ca ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default [sssd] default_domain_suffix = itiad.my.ca services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = freeipa.my.ca [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Thanks, On 29 September 2015 at 10:47, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, Sadettin Albasan wrote: > >> I have a freeipa server and a trust relation with AD domain with almost >> everything working the way I planned except automounting NFS home >> directories for domain users. I have been reading about this on the net >> for >> almost a week, ended up trying a lot of different configurations, but I >> had >> no success to it. The closest I came to was removing krb5 authentication >> from the export and mount options. it is only then able to mount the >> directories. Since I have not seen any official guidelines about it, is >> this in works or any plan to implement? Thanks. >> > As usual, more details are required about server and client > configuration/software in order to even guess your problems. > > What provides NFS storage? What is used on the client machines? How > identity mapping is configured. Give examples of your configuration. > > There are some issues in NFS identity mapping code that were fixed > relatively recently and which prevented use of POSIX users with '@' in > the name, for example. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 30 14:08:46 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 30 Sep 2015 17:08:46 +0300 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: References: <20150929154754.GE4539@redhat.com> Message-ID: <20150930140846.GN4539@redhat.com> On Wed, 30 Sep 2015, Sadettin Albasan wrote: >Hi Alexander, > > >Currently; > >FreeIPA 7.1 (Centos) >Client 6.6 (Centos) >NFS 6.6 (Centos) + Samba 3.6 > >I have also samba file sharing running on NFS server which shares home >directories to windows users as well. So NFS server is joined to windows >domain as well as FreeIPA domain. CentOS 6.6 should have nfsidmap fixes needed to support AD users via IPA-AD trust. However, I don't see your configuration for nfs idmap.conf on both client and NFS server. -- / Alexander Bokovoy From tekturk at gmail.com Wed Sep 30 14:42:27 2015 From: tekturk at gmail.com (Sadettin Albasan) Date: Wed, 30 Sep 2015 09:42:27 -0500 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: <20150930140846.GN4539@redhat.com> References: <20150929154754.GE4539@redhat.com> <20150930140846.GN4539@redhat.com> Message-ID: *idmap.conf for NFS Server:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = #-------------------------------------------------------------------# # The following are used only for the "static" Translation Method. #-------------------------------------------------------------------# #[Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser at REALM = localuser #-------------------------------------------------------------------# # The following are used only for the "umich_ldap" Translation Method. #-------------------------------------------------------------------# #[UMICH_SCHEMA] # server information (REQUIRED) #LDAP_server = ldap-server.local.domain.edu # the default search base (REQUIRED) #LDAP_base = dc=local,dc=domain,dc=edu #-----------------------------------------------------------# # The remaining options have defaults (as shown) # and are therefore not required. #-----------------------------------------------------------# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = # absolute search base for groups #LDAP_group_base = # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID *idmap.conf for client:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = #-------------------------------------------------------------------# # The following are used only for the "static" Translation Method. #-------------------------------------------------------------------# #[Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser at REALM = localuser #-------------------------------------------------------------------# # The following are used only for the "umich_ldap" Translation Method. #-------------------------------------------------------------------# #[UMICH_SCHEMA] # server information (REQUIRED) #LDAP_server = ldap-server.local.domain.edu # the default search base (REQUIRED) #LDAP_base = dc=local,dc=domain,dc=edu #-----------------------------------------------------------# # The remaining options have defaults (as shown) # and are therefore not required. #-----------------------------------------------------------# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = # absolute search base for groups #LDAP_group_base = # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID Domain=freeipa.my.ca On 30 September 2015 at 09:08, Alexander Bokovoy wrote: > On Wed, 30 Sep 2015, Sadettin Albasan wrote: > >> Hi Alexander, >> >> >> Currently; >> >> FreeIPA 7.1 (Centos) >> Client 6.6 (Centos) >> NFS 6.6 (Centos) + Samba 3.6 >> >> I have also samba file sharing running on NFS server which shares home >> directories to windows users as well. So NFS server is joined to windows >> domain as well as FreeIPA domain. >> > CentOS 6.6 should have nfsidmap fixes needed to support AD users via > IPA-AD trust. > > However, I don't see your configuration for nfs idmap.conf on both client > and > NFS server. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 30 14:46:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 30 Sep 2015 17:46:19 +0300 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: References: <20150929154754.GE4539@redhat.com> <20150930140846.GN4539@redhat.com> Message-ID: <20150930144619.GP4539@redhat.com> On Wed, 30 Sep 2015, Sadettin Albasan wrote: >*idmap.conf for NFS Server:* > >[General] >#Verbosity = 0 ># The following should be set to the local NFSv4 domain name ># The default is the host's DNS domain name. >#Domain = local.domain.edu > ># The following is a comma-separated list of Kerberos realm ># names that should be considered to be equivalent to the ># local realm, such that @REALM.A can be assumed to ># be the same user as @REALM.B ># If not specified, the default local realm is the domain name, ># which defaults to the host's DNS domain name, ># translated to upper-case. ># Note that if this value is specified, the local realm name ># must be included in the list! >#Local-Realms = > >[Mapping] > >Nobody-User = nobody >Nobody-Group = nobody > >[Translation] > ># Translation Method is an comma-separated, ordered list of ># translation methods that can be used. Distributed methods ># include "nsswitch", "umich_ldap", and "static". Each method ># is a dynamically loadable plugin library. ># New methods may be defined and inserted in the list. ># The default is "nsswitch". >Method = nsswitch Use Method = sss The module for this method is part of sssd-common RPM package. >*idmap.conf for client:* > >[General] >#Verbosity = 0 ># The following should be set to the local NFSv4 domain name ># The default is the host's DNS domain name. >#Domain = local.domain.edu > ># The following is a comma-separated list of Kerberos realm ># names that should be considered to be equivalent to the ># local realm, such that @REALM.A can be assumed to ># be the same user as @REALM.B ># If not specified, the default local realm is the domain name, ># which defaults to the host's DNS domain name, ># translated to upper-case. ># Note that if this value is specified, the local realm name ># must be included in the list! >#Local-Realms = > >[Mapping] > >Nobody-User = nobody >Nobody-Group = nobody > >[Translation] > ># Translation Method is an comma-separated, ordered list of ># translation methods that can be used. Distributed methods ># include "nsswitch", "umich_ldap", and "static". Each method ># is a dynamically loadable plugin library. ># New methods may be defined and inserted in the list. ># The default is "nsswitch". >Method = nsswitch Same here. -- / Alexander Bokovoy From janellenicole80 at gmail.com Wed Sep 30 15:30:31 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 30 Sep 2015 08:30:31 -0700 Subject: [Freeipa-users] password resets - errors In-Reply-To: <560987DF.6070903@redhat.com> References: <5607ED70.7070003@gmail.com> <560983F5.4030204@redhat.com> <560987DF.6070903@redhat.com> Message-ID: <560C0017.2080206@gmail.com> On 9/28/15 11:33 AM, Rob Crittenden wrote: > Simo Sorce wrote: >> On 27/09/15 09:21, Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>> and find the issue. Also, there is nothing wrong with the password >>> policies. They are all set to default, and this occurs even when a >>> user's password has expired. The only thing I can say is it tends to >>> happen on more heavily loaded servers than lightly loaded ones. And >>> perhaps the most important point - the password *IS* changed >>> successfully! >>> >>> Changing password for user expired-user. >>> Current Password: >>> New password: >>> Retype new password: >>> Password change failed. Server message: Current password's minimum life >>> has not expired >>> >>> Password not changed. >>> passwd: Authentication token manipulation error >>> >>> Thoughts? Anything? >> This may be due to an implementation issue in the client. >> libkrb5 tends to wait only 1 second for an operation to succeed/fail and >> will send a new (identical) message if it gets back no answer, this is >> due to the fact historically KRB5 has used UDP in preference which >> doesn't guarantee message delivery, so the only option is to retry. >> >> However if the first message actually went through and the only problem >> is that the server was busy and slower a second message will be received >> and processed just the same, only to find out the password has just been >> changed and can't be changed again, hence the error message. >> >> I guess one way to handle this would be to disable clients from using >> UDP completely, although I am not 100% certain this will avoid the >> problem, IIRC at least in some versions the client library would retry >> after 1 second even on TCP. >> >> Simo. >> >> > udp_preference_limit 0 was added to /etc/krb5.conf in 4.2 to prefer TCP > for the initial request anyway. According to the man page it will always > fall back to UDP upon failure. > > rob > Something to add: If I get the failure and then try again, I get: Current Password: System is offline, password change not possible passwd: Authentication token manipulation error I also tried setting the kdc_timeout to 10 seconds (it says the default is 3) tcpdump shows everything running over TCP and it never goes to UDP at all, so this is now out of the picture. Any other ideas? I guess I need to turn on debug_level to something about 7 to try and figure this out. ~Janelle From tekturk at gmail.com Wed Sep 30 18:28:15 2015 From: tekturk at gmail.com (Sadettin Albasan) Date: Wed, 30 Sep 2015 13:28:15 -0500 Subject: [Freeipa-users] NFS Automount Domain Homedirs In-Reply-To: References: <20150929154754.GE4539@redhat.com> <20150930140846.GN4539@redhat.com> <20150930144619.GP4539@redhat.com> Message-ID: Here is a list of installed sssd packages: sssd-client-1.12.4-47.el6.x86_64 sssd-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 python-sssdconfig-1.12.4-47.el6.noarch sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-tools-1.12.4-47.el6.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 On 30 September 2015 at 13:18, Sadettin Albasan wrote: > I get this error when putting sss into method even after upgrading my > systems to centos 6.7 > > Shutting down NFS daemon: [ OK ] > Shutting down NFS mountd: [ OK ] > Shutting down NFS services: [ OK ] > Shutting down RPC svcgssd: [ OK ] > Shutting down RPC idmapd: [ OK ] > Starting RPC svcgssd: [ OK ] > Starting NFS services: [ OK ] > Starting NFS mountd: [ OK ] > Starting NFS daemon: [ OK ] > Starting RPC idmapd: rpc.idmapd: libnfsidmap: requested translation > method, 'sss', is not available > > rpc.idmapd: Unable to create name to user id mappings. > [FAILED] > > > On 30 September 2015 at 09:46, Alexander Bokovoy > wrote: > >> On Wed, 30 Sep 2015, Sadettin Albasan wrote: >> >>> *idmap.conf for NFS Server:* >>> >>> >>> [General] >>> #Verbosity = 0 >>> # The following should be set to the local NFSv4 domain name >>> # The default is the host's DNS domain name. >>> #Domain = local.domain.edu >>> >>> # The following is a comma-separated list of Kerberos realm >>> # names that should be considered to be equivalent to the >>> # local realm, such that @REALM.A can be assumed to >>> # be the same user as @REALM.B >>> # If not specified, the default local realm is the domain name, >>> # which defaults to the host's DNS domain name, >>> # translated to upper-case. >>> # Note that if this value is specified, the local realm name >>> # must be included in the list! >>> #Local-Realms = >>> >>> [Mapping] >>> >>> Nobody-User = nobody >>> Nobody-Group = nobody >>> >>> [Translation] >>> >>> # Translation Method is an comma-separated, ordered list of >>> # translation methods that can be used. Distributed methods >>> # include "nsswitch", "umich_ldap", and "static". Each method >>> # is a dynamically loadable plugin library. >>> # New methods may be defined and inserted in the list. >>> # The default is "nsswitch". >>> Method = nsswitch >>> >> Use Method = sss >> >> The module for this method is part of sssd-common RPM package. >> >> *idmap.conf for client:* >>> >>> >>> [General] >>> #Verbosity = 0 >>> # The following should be set to the local NFSv4 domain name >>> # The default is the host's DNS domain name. >>> #Domain = local.domain.edu >>> >>> # The following is a comma-separated list of Kerberos realm >>> # names that should be considered to be equivalent to the >>> # local realm, such that @REALM.A can be assumed to >>> # be the same user as @REALM.B >>> # If not specified, the default local realm is the domain name, >>> # which defaults to the host's DNS domain name, >>> # translated to upper-case. >>> # Note that if this value is specified, the local realm name >>> # must be included in the list! >>> #Local-Realms = >>> >>> [Mapping] >>> >>> Nobody-User = nobody >>> Nobody-Group = nobody >>> >>> [Translation] >>> >>> # Translation Method is an comma-separated, ordered list of >>> # translation methods that can be used. Distributed methods >>> # include "nsswitch", "umich_ldap", and "static". Each method >>> # is a dynamically loadable plugin library. >>> # New methods may be defined and inserted in the list. >>> # The default is "nsswitch". >>> Method = nsswitch >>> >> Same here. >> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt.wells at mosaic451.com Wed Sep 30 18:36:47 2015 From: matt.wells at mosaic451.com (Matt Wells) Date: Wed, 30 Sep 2015 11:36:47 -0700 Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops Message-ID: Hi all, I hoped I may glean some brilliance from the group. I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan was to replicate users+passwords with Windows 2012R2 server but following some of the information in the other posts and docs we've moved to a trust. The trust has been setup using the documentation and in short it's worked without issue. I'm able to get principles from the Windows realm ( marvel.comics.com). So what I'm attempting and failing to do is authenticating my IPA users to the Windows 8 desktops. Ideally I don't want any users in AD, it's simply there to deliver a GPO and in the next year it will be phased out and we'll be replacing Windows 8 with linux desktops. So marvel.comics.com = windows dc.comics.com = freeipa # rpm -qi freeipa-server Name : freeipa-server Version : 4.1.4 Release : 1.fc21 Architecture: x86_64 Install Date: Tue 25 Aug 2015 08:17:56 PM UTC Group : System Environment/Base Size : 4521059 License : GPLv3+ Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID 89ad4e8795a43f54 Source RPM : freeipa-4.1.4-1.fc21.src.rpm Build Date : Thu 26 Mar 2015 03:16:19 PM UTC Build Host : buildhw-07.phx2.fedoraproject.org [root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release Fedora release 21 (Twenty One) To cut to the chase here's me logging into a Windows 8 desktop system. I try to login 3 different ways; this system is a member of the marvel domain. Time is extremely close, close enough that I feel really good about ruling it out. Any light you all could shed on this would be outstanding. Thank you all for your time on this, I really appreciate all the time and effort this team puts into reading these posts. Username: dc/greenlantern Password: ************ [root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i greenlantern [30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" Username: greenlanter at dc Password: ************ [30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" Username: greenlanter at dc.comics.com Password: ************ [30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com @DC.COMICS.COM )(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM )))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" >From what I can tell, everything looks good to wbinfo; we see the domain and he see's us. In the AD trust I can go under the trust and validate the trust with no issues. [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status BUILTIN : online DC : online MARVEL : online [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info marvel.comics.com Name : MARVEL Alt_Name : marvel.comics.com SID : S-1-5-21-3495301974-2766379234-3984916731 Active Directory : Yes Native : Yes Primary : No [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n 'MARVEL.COMICS.COM\Domain Admins' S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2) [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info marvel.comics.com Name : MARVEL Alt_Name : marvel.comics.com SID : S-1-5-21-3495301974-2766379234-3984916731 Active Directory : Yes Native : Yes Primary : No -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Wed Sep 30 19:04:43 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 30 Sep 2015 19:04:43 +0000 Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo In-Reply-To: <20150930124219.GT15644@hendrix.arn.redhat.com> References: <20150915123638.GN2884@hendrix> <9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local> <20150918084152.GF3162@hendrix.redhat.com> <66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local> <20150921192924.GQ13819@hendrix.redhat.com> <594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local> <20150921200943.GY13819@hendrix.redhat.com> <4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local> <560A7BA1.7080706@redhat.com> <3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local> <20150930124219.GT15644@hendrix.arn.redhat.com> Message-ID: > On Wed, Sep 30, 2015 at 12:17:22PM +0000, Andy Thompson wrote: > > > On 09/21/2015 10:42 PM, Andy Thompson wrote: > > > >> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote: > > > >>>> -----Original Message----- > > > >>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com] > > > >>>> Sent: Monday, September 21, 2015 3:29 PM > > > >>>> To: Andy Thompson > > > >>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com > > > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > >>>> > > > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > >>>>>> > > > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson > wrote: > > > >>>>>>> I've narrowed it down a bit doing some testing. The sudo > > > >>>>>>> rules work when > > > >>>>>> I remove the user group restriction from them. My sudo rules > > > >>>>>> all have my ad groups in the rule > > > >>>>>>> > > > >>>>>>> Rule name: ad_linux_admins > > > >>>>>>> Enabled: TRUE > > > >>>>>>> Host category: all > > > >>>>>>> Command category: all > > > >>>>>>> RunAs User category: all > > > >>>>>>> RunAs Group category: all > > > >>>>>>> User Groups: ad_linux_admins <- if I remove this then > > > >>>>>>> the rule gets > > > >>>>>> applied > > > >>>>>> > > > >>>>>> Nice catch. Is the group visible after you login and run id? > > > >>>>>> > > > >>>>>> What is the exact IPA server version? > > > >>>>> > > > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > > > >>>>> groups then > > > >>>> the sudo rules are applied. > > > >>>>> > > > >>>>> I tested a couple things though, if I put a rule in the local > > > >>>>> sudoers file on a server running sssd 1.11 > > > >>>>> > > > >>>>> %@ "sudo commands" > > > >>>>> > > > >>>>> That rule was not applied. If I remove the then > > > >>>>> the rule got > > > >>>> applied. > > > >>>>> > > > >>>>> On a server running sssd 1.12 that rule works, but does not > > > >>>>> work if I > > > >>>> remove the . And none of the IPA sudo rules work. > > > >>>> So something changed with the domain suffix between versions it > > > >>>> would appear. > > > >>>>> > > > >>>>> They key to making the IPA sudo rules work in 1.12 is to > > > >>>>> remove the > > > >>>> default_domain_suffix setting in the sssd.conf, but that's not > > > >>>> an option in my environment. > > > >>>>> > > > >>>>> So all the moving parts together, it appears that having AD > > > >>>>> groups with a different name than the IPA groups in > > > >>>>> conjunction with the default_domain_suffix setting breaks things > right now in 1.12. > > > >>>>> Appears since I renamed the ad group to match then the rule > > > >>>>> without a domain suffix will get matched now > > > >>>> > > > >>>> Hello Andy, > > > >>>> > > > >>>> I'm sorry for the constant delays, but I was busy with some > > > >>>> trust-related fixes lately. > > > >>>> > > > >>>> Did you have a chance to confirm that just swapping sssd /on > > > >>>> the client/ while keeping the same version on the server fixes > > > >>>> the issue for > > > >> you? > > > >>>> > > > >>>> Pavel (CC), can you help me out here, please? I have the setup > > > >>>> ready on my machine, so tomorrow we can take a look and > > > >>>> experiment (I can give you access to my environment via tmate > > > >>>> maybe..), but I wasn't able to reproduce the issue locally yet. > > > >>> > > > >>> It's fine I understand the backlog. > > > >>> > > > >>> I was not able to backrev the sssd due to dependency issues. I > > > >>> tried > > > >> downgrading all the dependencies and got in a loop and stopped > > > >> trying. Are there any tricks you can think of to downgrade the > > > >> sssd > > > cleanly? > > > >>> > > > >>> -andy > > > >>> > > > >> > > > >> What failures are you getting? I normally just download all > > > >> \*sss\* packages and then downgrade with rpm -U --oldpackage. > > > > > > > > > > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton > > > > of deps. If include all the deps it lists > > > > > > > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 > > > > sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python > > > > python-sssdconfig > > > > > > > > I get multilib errors with libsss_idmap. > > > > > > > > Looks like my local repo doesn't have libsss_idmap 1.11 available. > > > > Let me > > > look into that and see what repo it sits in and see if I can figure > > > out why it's not pulling in. > > > > > > > > -andy > > > > > > > > > > Hi, since none of us is able to reproduce this in house, can you > > > give us more precise steps how to reproduce and more information? > > > What I have in mind at this moment is: > > > > > > 1) How is membership defined? I suspect it goes as AD-USER -> > > > AD-GROUP > > > -> IPA->GROUP, right? What types of groups are used? > > > > > > > I have AD user->AD group->external IPA group->IPA group > > > > > 2) sssd.conf might also turn out to be useful > > > > > > 3) Remove SSSD and sudo logs, reproduce and send us all the logs > > > please with the commands to reproduce. Not just snippets. > > > > > > > I can gather this up and get it over to you. > > > > Actually I just realized I have two other environments and this is working > without issue in those environments. I haven't done a full sudo rollout in > those environments yet so I didn't think to check those, but the admins rule > is working correctly and I haven't renamed any ad groups to match my IPA > groups. > > > > Could it be something in a sudo rule or something in AD that's interfering > with this working correctly? > > I would first try to find the difference in the environment. Are sssd versions > the same on the clients and servers? Are sudo versions the same? > > ...etc. > > Pavel has a sudo troubleshooting guide in the works, maybe it would help.. All updates are controlled from the same repo so versions are all the same between the environments, that's why I'm wondering if something in AD could cause this. Can't imagine what it would be though. Groups are all mapped in the same way. Sudo is setup the same and works fine it was just the AD group name being different that is throwing it fits in this one environment. Once I renamed the AD groups to match it all started pulling in without any issue. I will add the finer grained rules in the other environments when I start rolling it out there one at a time and see if I can tie it to any of those. -andy